[Bug 1119174] Re: IPTables on powerpc seems to "missing" NAT'ing packets

Pieter De Wit Fri, 08 Feb 2013 00:41:31 -0800

I am tagging it as a security issue since this can leak private subnet
information


** Information type changed from Public to Public Security

** Tags added: iptables masq nat security

** Description changed:

  Hi,
  
  Here is my setup:
  
  eth0 ---\
-                  SERVER ---> eth1 ---> ppp0 (pppoe)
+                  SERVER ---> eth1 ---> ppp0 (pppoe)
  eth2 ---/
  
  I have stripped the iptables config to the bear requirements for NAT:
+ (I have also tried this with just one MASQ statement - same result
+  Also - Source NAT - same result)
  
  *nat
  :PREROUTING ACCEPT [41024:3267406]
  :INPUT ACCEPT [36053:2477434]
  :OUTPUT ACCEPT [39588:2527196]
  :POSTROUTING ACCEPT [39961:2568225]
  -A POSTROUTING -s 192.168.4.0/24 -o ppp0 -j MASQUERADE
  -A POSTROUTING -s 192.168.5.0/24 -o ppp0 -j MASQUERADE
  COMMIT
  
  eth0 = 192.168.4.0/24
  eth2 = 192.168.5.0/24
  
  If I run "tcpdump -i ppp0 -n net 192.168.0.0/16" I do see packets
  leaving ppp0, "unNAT'ed":
  
  21:14:55.974633 IP 192.168.5.109.49458 > 17.152.19.51.443: Flags [F.], seq 
1404846587, ack 269222910, win 16384, options [nop,nop,sack 1 {4381:5764}], 
length 0
  21:14:56.990586 IP 192.168.5.109.49458 > 17.152.19.51.443: Flags [F.], seq 0, 
ack 1, win 16384, options [nop,nop,sack 1 {4381:5764}], length 0
  21:14:58.713042 IP 192.168.5.109.49458 > 17.152.19.51.443: Flags [F.], seq 0, 
ack 1, win 16384, options [nop,nop,sack 1 {4381:5764}], length 0
  21:15:02.258076 IP 192.168.5.109.49458 > 17.152.19.51.443: Flags [F.], seq 0, 
ack 1, win 16384, options [nop,nop,sack 1 {4381:5764}], length 0
  21:17:13.711341 IP 192.168.5.109.49458 > 17.152.19.51.443: Flags [F.], seq 0, 
ack 1, win 16384, options [nop,nop,sack 1 {4381:5764}], length 0
  
  I also can't access certain sites using https, like freelancer.com and
  iTunes from my iphone (eth2 via wireless).
  
  This used to work. In between I have upgraded to linux-
  image-3.2.0-36-powerpc64-smp   3.2.0-36.57 and linux-
  image-3.2.0-38-powerpc64-smp   3.2.0-38.59 and both seem to have the
  issue.
  
  I havn't back tracked the kernels to a working one yet - working on that
  atm.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1119174

Title:
  IPTables on powerpc seems to "missing" NAT'ing packets

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1119174/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1119174] Re: IPTables on powerpc seems to "missing" NAT'ing packets

Reply via email to