Upstream bug 39132 - Starting with 3.0.0-rc6, masquerading seems to be broken.
There is a bug in NAT masquerading that is recognized upstream:
https://bugzilla.kernel.org/show_bug.cgi?id=39132
I am able to repeat the above problem in the 3.0 kernel included in
Debian testing (linux-image-3.0.0-1-686-pae, 3.0.0-1). I have
reverted to linux-image-2.6.39-2-686-pae (2.6.39-3) for the time
being. I am certain that the problem started after rebooting into the
3.0 kernel for the first time a few days ago (previous uptime was 150+
days). The last message in the thread above, posted just a week ago,
suggests two possible patches to fix.
Here's a demonstration of the problem. This doesn't happen
immediately upon boot; it takes some time before the behavior below
manifests.
tiferet:~# tcpdump -i eth1 -s0 -A net 192.168.0.0/24 and port not 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:08:27.459237 IP 192.168.0.64.52142 > vw-in-f99.1e100.net.www: Flags
[F.], seq 1655428276, ack 2135287895, win 64350, length 0
E..(@.....~z...@J}qc...Pb....E.WP..^....
16:08:37.057666 IP 192.168.0.64.52142 > vw-in-f99.1e100.net.www: Flags
[R.], seq 1, ack 1, win 0, length 0
E..(@.....~S...@J}qc...Pb....E.WP......
The above is me using a desktop on the LAN to try to hit Google. It
sure looks to me like packets with private addresses were being sent
out the public-facing interface.
tiferet:~# /sbin/ifconfig | grep -a1 ^e
eth0 Link encap:Ethernet HWaddr [omitted]
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
--
eth1 Link encap:Ethernet HWaddr [omitted]
inet addr:75.66.[xx.xx] Bcast:255.255.255.255 Mask:255.255.255.0
My iptables rules that control masquerading haven't changed in many months.
-A POSTROUTING -s 192.168.0.32/27 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.0.64 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.0.64/26 -o eth1 -m multiport -p udp --dport
53,123 -j MASQUERADE
-A POSTROUTING -s 192.168.0.64/26 -o eth1 -m multiport -p tcp --dport
22,80,119,443 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -p icmp -m icmp --icmp-type 8
-j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j LOG
--
Troy
Reply to: