bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-14 20:02 UTC
[Bug 554] New: Packet illegaly bypassing SNAT
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=554 Summary: Packet illegaly bypassing SNAT Product: netfilter/iptables Version: linux-2.6.x Platform: All OS/Version: All Status: NEW Severity: major Priority: P2 Component: NAT AssignedTo: laforge@netfilter.org ReportedBy: renean@gmx.de I have a router. To the outside world i have to do NAT. All packats going over the external interface are being SNATed by the one and only rule in the POSTROUTING-chain (see below). What happens is that some packages from my internal net somehow bypass that NAT and go out with their internal addresses (${SOURCE}). My ISP informed me about that. It seems that applications spawning many connections trigger that problem. I observed it by using bittorrent with many open connections. But it also occured once during normal usage of a browser. My ISP told me that this problem is not new to him, that some people also using linux-based routers, all with SNAT have it too. Affected kernels: 2.6.9 (tested) 2,6.12 (tested) 2.6.14 (tested) 2.6.15 (tested) 2.6.18 (tested) 2.6.19 (heard) 2.6.20 (tested) not enlisted kernels (in between) were not tested or heard of, but it is strongly assumed they are affected too. Not affected: 2.4.34 (tested) 2.6.8 (tested) So it seems that this problem was introduced in 2.6.9. I further tested appending a DROP-rule after the SNAT in the POSTROUTING-chain but that didn't solve the problem either. The wrong packets can be monitored by using tcpdump (see reproduction). Reproduction:>From my internal computer (${SOURCE}) I scanned an external computer${VICTIM} (willingly), command is: nmap -sX ${VICTIM} On my router I had the command: tcpdump -v -i ${EXTERNAL_INTERFACE} src net ${SOURCENET} Rules in use: iptables -t nat -F iptables -t forward -F iptables -t nat -A POSTROUTING -o ${EXTERNAL_INTERFACE} -j SNAT --to-source ${EXTERNAL_IP} Forwarding was enabled _after_ installing the iptablesrules. I think that an unusal combination of flags causes that problem and since "nmap -sX" is all flags on, it is unusual enough to trigger the problem. But as said above, it also happens during normal usage. Instead of the SNAT-rule I also tried: iptables -t nat -A POSTROUTING -o ${EXTERNAL_INTERFACE} -j DROP and no packet got through, from that i conclude that the packets go through the POSTROUTING-chain, thus SNAT must somehow be broken (as an DROP after SNAT did not drop any packages, see above). -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.