bind and address rewriting
Hello Phil,
PB> > the UDP packet is masqueraded
PB> > correctly and triggers the PPP dial-out to my ISP. But
PB> > finally, the UDP packet gets dropped out there because no
PB> > address rewriting is done for UDP packets
PB> If no address rewriting is done you need to check your ipchains
PB> rules.
Hm, AFAIK there is only address rewriting for TCP packets with SYN set, or
am I wrong here? Address rewriting works perfectly with my configuration
for TCP packets with SYN bit set (see below).
PB> Can you post them here?
Hm, there is nothing very critical about them, so I can do that. I hope
nobody minds this lengthly posting.
'localnet' is my local network which host 'gateway' connects to the
internet. 'nameserver' is the nameserver of my ISP.
'100.100.100.1' is the actual dynamic IP address of the ippp interface
(the firewall rules are updated to match the actual dynamic addresses each
time the link comes up with an ip-up script).
Those chains "Cx" which the build-in chains branch to are for accepting
selected TCP and ICMP packets from localnet to gateway, and from the
internet to gateway, resp. (Simple packet forwarding using kernel IP
masquerading is only done for those UDP connections with 'nameserver'.)
--------------------------------- Schnipp! -------------------------------
Chain input (policy DENY: 0 packets, 0 bytes):
target prot opt ifname source destination ports
C1 all ------ eth0 localnet/24 gateway n/a
C7 all ------ ippp0 anywhere 100.100.100.1 n/a
ACCEPT udp ----l- eth0 localnet/24 nameserver 1024:65535 -> domain
ACCEPT udp ----l- ippp0 nameserver 100.100.100.1 domain -> 1024:65535
DENY all ----l- any anywhere anywhere n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
target prot opt ifname source destination ports
MASQ udp ----l- ippp0 localnet/24 nameserver 1024:65535 -> domain
DENY all ----l- any anywhere anywhere n/a
Chain output (policy DENY: 0 packets, 0 bytes):
target prot opt ifname source destination ports
C3 all ------ eth0 gateway localnet/24 n/a
C5 all ------ ippp0 100.100.100.1 anywhere n/a
ACCEPT udp ----l- ippp0 100.100.100.1 nameserver 1024:65535 -> domain
ACCEPT udp ----l- eth0 nameserver localnet/24 domain -> 1024:65535
DENY all ----l- any anywhere anywhere n/a
--------------------------------------------------------------------------
Here is some debug output.
181.119.93.94 is the nameserver of my ISP.
10.20.30.* is my local net.
This is a dialup triggered by a TCP packet. One can see that address
rewriting works:
--------------------------------- Schnipp! -------------------------------
Oct 3 14:15:13 gateway kernel: Packet log: output - ippp0 PROTO=6
181.120.8.51:1687 XX.XX.XX.XX:80 L=60 S=0x00 I=8225 F=0x0000 T=64
SYN (#1)
Oct 3 14:15:13 gateway kernel: ippp0: dialing 1 0191011...
Oct 3 14:15:15 gateway ipppd[169]: Remote message:
Oct 3 14:15:15 gateway ipppd[169]: MPPP negotiation, He: No We: No
Oct 3 14:15:15 gateway ipppd[169]: local IP address 183.113.37.180
Oct 3 14:15:15 gateway ipppd[169]: remote IP address 183.22.65.43
Oct 3 14:15:16 gateway kernel: tcp_v4_rebuild_header(): shifting sk->saddr
from 181.120.8.51 to 183.113.37.180
Oct 3 14:15:22 gateway kernel: Packet log: output - ippp0 PROTO=6
183.113.37.180:1687 XX.XX.XX.XX:80 L=60 S=0x00 I=8227 F=0x0000 T=64
SYN (#1)
[...]
Oct 3 14:16:37 gateway ipppd[169]: Modem hangup
Oct 3 14:16:37 gateway ipppd[169]: Connection terminated.
--------------------------------------------------------------------------
Later, a forwarding request from bind from the internal network triggers
the next dialout, but no address rewriting takes place. In particular, it
seems that the UDP packet has successfully made its way across ippp0,
since there is no more log entry (all UDP packets would have been logged
in this configuration):
--------------------------------- Schnipp! -------------------------------
Oct 3 14:51:46 gateway kernel: Packet log: input ACCEPT eth0 PROTO=17
10.20.30.200:1038 181.119.93.94:53 L=56 S=0x00 I=4922 F=0x0000 T=64
(#4)
Oct 3 14:51:46 gateway kernel: Packet log: forward MASQ ippp0 PROTO=17
10.20.30.200:1038 181.119.93.94:53 L=56 S=0x00 I=4922 F=0x0000 T=63
(#2)
Oct 3 14:51:46 gateway kernel: Packet log: output ACCEPT ippp0 PROTO=17
183.113.37.180:61033 181.119.93.94:53 L=56 S=0x00 I=4922 F=0x0000 T=63
(#4)
Oct 3 14:51:46 gateway kernel: ippp0: dialing 1 0191011...
Oct 3 14:51:48 gateway ipppd[169]: Remote message:
Oct 3 14:51:48 gateway ipppd[169]: MPPP negotiation, He: No We: No
Oct 3 14:51:48 gateway ipppd[169]: local IP address 181.120.8.211
Oct 3 14:51:48 gateway ipppd[169]: remote IP address 183.22.65.41
[nothing happens here until I start the call to 'nslookup' again:]
Oct 3 14:52:07 gateway kernel: Packet log: input ACCEPT eth0 PROTO=17
10.20.30.200:1038 181.119.93.94:53 L=56 S=0x00 I=4929 F=0x0000 T=64
(#4)
Oct 3 14:52:07 gateway kernel: Packet log: forward MASQ ippp0 PROTO=17
10.20.30.200:1038 181.119.93.94:53 L=56 S=0x00 I=4929 F=0x0000 T=63
(#2)
Oct 3 14:52:07 gateway kernel: Packet log: output ACCEPT ippp0 PROTO=17
181.120.8.211:61034 181.119.93.94:53 L=56 S=0x00 I=4929 F=0x0000 T=63
(#4)
Oct 3 14:52:07 gateway kernel: Packet log: input ACCEPT ippp0 PROTO=17
181.119.93.94:53 181.120.8.211:61034 L=132 S=0x00 I=14087 F=0x4000 T=252
(#5)
Oct 3 14:52:07 gateway kernel: Packet log: output ACCEPT eth0 PROTO=17
181.119.93.94:53 10.20.30.200:1038 L=132 S=0x00 I=14087 F=0x4000 T=251
(#5)
--------------------------------------------------------------------------
Greetings, Thomas
Reply to: