Re: some packets going out from the wrong interface

To: debian-firewall@lists.debian.org
Subject: Re: some packets going out from the wrong interface
From: Jorge Salamero Sanz <bencer@cauterized.net>
Date: Fri, 26 Mar 2010 23:05:13 +0100
Message-id: <[🔎] 201003262305.13900.bencer@cauterized.net>
In-reply-to: <[🔎] 4BAD1E37.4070707@plouf.fr.eu.org>
References: <[🔎] 201003262048.15634.bencer@cauterized.net> <[🔎] 4BAD1E37.4070707@plouf.fr.eu.org>

On Friday 26 March 2010 21:51:03 Pascal Hambourg wrote:
> The nat chains see only the first packet of a NEW connection, so it is
> not the best place for logging. Try the mangle table instead.
> 
> Also, it appears that the routing policy is based on connection mark, so
> it relies on connection tracking. I suspect that these packets are
> considered in the INVALID state for whatever reason. When using
> connection tracking or stateful NAT, a good practice is to DROP packets
> in the INVALID state.

Yes, I've added that and still the same:
     
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        state INVALID 

And not log at all after adding:

 iptables -t mangle -A POSTROUTING -o eth1 -s 10.10.2.1 -j LOG --log-prefix 
"WRONG on eth1: "

 iptables -t mangle -A POSTROUTING -o eth2 -s 10.10.1.1 -j LOG --log-prefix 
"WRONG on eth2:
 
> 
> Could you provide a sample of these packets ?
> 

~# tcpdump -i eth1 -nnvvXSs 1514 src 10.10.1.1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 1514 
bytes
23:02:33.323385 IP (tos 0x0, ttl 63, id 18034, offset 0, flags [DF], proto TCP 
(6), length 60) 10.10.1.1.49947 > 62.58.184.18.80: S, cksum 0xfb0b (correct), 
3035347871:3035347871(0) win 5840 <mss 1460,sackOK,timestamp 4294901980 
0,nop,wscale 1>
        0x0000:  4500 003c 4672 4000 3f06 f3f2 0a0a 0101  E..<Fr@.?.......
        0x0010:  3e3a b812 c31b 0050 b4eb bb9f 0000 0000  >:.....P........
        0x0020:  a002 16d0 fb0b 0000 0204 05b4 0402 080a  ................
        0x0030:  ffff 00dc 0000 0000 0103 0301            ............
23:02:37.190769 IP (tos 0x0, ttl 63, id 43811, offset 0, flags [DF], proto TCP 
(6), length 60) 10.10.1.1.55412 > 217.76.145.117.80: S, cksum 0xd98e 
(correct), 3011137784:3011137784(0) win 5840 <mss 1460,sackOK,timestamp 
4294902947 0,nop,wscale 1>
        0x0000:  4500 003c ab23 4000 3f06 1acc 0a0a 0101  E..<.#@.?.......
        0x0010:  d94c 9175 d874 0050 b37a 50f8 0000 0000  .L.u.t.P.zP.....
        0x0020:  a002 16d0 d98e 0000 0204 05b4 0402 080a  ................
        0x0030:  ffff 04a3 0000 0000 0103 0301            ............
23:02:39.322611 IP (tos 0x0, ttl 63, id 18035, offset 0, flags [DF], proto TCP 
(6), length 60) 10.10.1.1.49947 > 62.58.184.18.80: S, cksum 0xf52f (correct), 
3035347871:3035347871(0) win 5840 <mss 1460,sackOK,timestamp 4294903480 
0,nop,wscale 1>
        0x0000:  4500 003c 4673 4000 3f06 f3f1 0a0a 0101  E..<Fs@.?.......
        0x0010:  3e3a b812 c31b 0050 b4eb bb9f 0000 0000  >:.....P........
        0x0020:  a002 16d0 f52f 0000 0204 05b4 0402 080a  ...../..........
        0x0030:  ffff 06b8 0000 0000 0103 0301            ............

Reply to:

Follow-Ups:
- Re: some packets going out from the wrong interface
  - From: Jorge Salamero Sanz <bencer@cauterized.net>

References:
- some packets going out from the wrong interface
  - From: Jorge Salamero Sanz <bencer@cauterized.net>
- Re: some packets going out from the wrong interface
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

Prev by Date: Re: some packets going out from the wrong interface
Next by Date: Re: some packets going out from the wrong interface
Previous by thread: Re: some packets going out from the wrong interface
Next by thread: Re: some packets going out from the wrong interface
Index(es):
- Date
- Thread