bugzilla-daemon@bugzilla.netfilter.org
2007-Apr-17 05:04 UTC
[Bug 554] Packet illegaly bypassing SNAT
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=554 ------- Additional Comments From fhagur@gmail.com 2007-04-17 05:04 MET ------- I have been wondering about this bug and had similar problems myself here in my Debian system, linux-kernel 2.6.18 iptables 1.3.6. I too saw that some packets became transmitted illegally through the ppp0 interface, when they just shoudn't. What I did was to clamp the MSS - Max Segment Size. It's a known thing and since the adoption of the newest internet routers the acceptance of long packets are ok and they do transmit then. Actually the packets are not illegal for the newest routers and servers (like apache) but for the oldest and not so featured (IIS, old Ciscos routers, etc) don't like it and don't reply your requests correctly, trying strange behaviours like checking arp addresses on the Internet for your internal NAT'ed NICs. So, go to your ppp/eth device connected to the Internet and clamp MSS to a value as 1412. In Debian (and maybe other *nix'es) you can do this way: pty pppoe -I eth0 -T80 -m 1412 Since eth0 is you _internal_ network and you should clamp theyr packets. Flavio H. A. Gurgel Brazil -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-Apr-17 05:04 UTC
[Bug 554] Packet illegaly bypassing SNAT
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=554 ------- Additional Comments From fhagur@gmail.com 2007-04-17 05:04 MET ------- I have been wondering about this bug and had similar problems myself here in my Debian system, linux-kernel 2.6.18 iptables 1.3.6. I too saw that some packets became transmitted illegally through the ppp0 interface, when they just shoudn't. What I did was to clamp the MSS - Max Segment Size. It's a known thing and since the adoption of the newest internet routers the acceptance of long packets are ok and they do transmit then. Actually the packets are not illegal for the newest routers and servers (like apache) but for the oldest and not so featured (IIS, old Ciscos routers, etc) don't like it and don't reply your requests correctly, trying strange behaviours like checking arp addresses on the Internet for your internal NAT'ed NICs. So, go to your ppp/eth device connected to the Internet and clamp MSS to a value as 1412. In Debian (and maybe other *nix'es) you can do this way: pty pppoe -I eth0 -T80 -m 1412 Since eth0 is you _internal_ network and you should clamp theyr packets. Flavio H. A. Gurgel Brazil -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2007-Apr-25 15:38 UTC
[Bug 554] Packet illegaly bypassing SNAT
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=554 ------- Additional Comments From neo@horse21.net 2007-04-25 15:38 MET ------- It seems to me that I have the same source of problem. I have a linux router with BGP support using quagga. I have 3 independent providers. Interfaces for them are: inet-1 inet-2 inet-3 Rules in postrouting: iptables -t nat -A POSTROUTING -o inet-1 -j snat-bgp iptables -t nat -A POSTROUTING -o inet-2 -j snat-bgp iptables -t nat -A POSTROUTING -o inet-3 -j snat-bgp So all snat rules are in the same snat-bgp table. Everything work fine for DNAT, but for SNAT there is a problem. It(SNAT) stop working after routing change(outgoing interface change). I need to restart my firewall script(nothing changes). And everything is fine again. I can`t understand this situation. Any help apreciated. You can contact me by the neo -=at=- horse21.net e-address. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-Apr-25 15:38 UTC
[Bug 554] Packet illegaly bypassing SNAT
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=554 ------- Additional Comments From neo@horse21.net 2007-04-25 15:38 MET ------- It seems to me that I have the same source of problem. I have a linux router with BGP support using quagga. I have 3 independent providers. Interfaces for them are: inet-1 inet-2 inet-3 Rules in postrouting: iptables -t nat -A POSTROUTING -o inet-1 -j snat-bgp iptables -t nat -A POSTROUTING -o inet-2 -j snat-bgp iptables -t nat -A POSTROUTING -o inet-3 -j snat-bgp So all snat rules are in the same snat-bgp table. Everything work fine for DNAT, but for SNAT there is a problem. It(SNAT) stop working after routing change(outgoing interface change). I need to restart my firewall script(nothing changes). And everything is fine again. I can`t understand this situation. Any help apreciated. You can contact me by the neo -=at=- horse21.net e-address. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-02 07:38 UTC
[Bug 554] Packet illegaly bypassing SNAT
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=554 ------- Additional Comments From renean@gmx.de 2007-05-02 07:38 MET ------- I think the problem you describe has nothing to do with mine. I have only one ISP at my machine. The environment before and after my router is ethernet. I reproduced it using only internal traffic in my home ethernet. After some research I came along some kernelpatches. It seems, that resetpackets now do not establish a new entry in conntrack. Without that entry INVALID packets reach the SNAT and get through it. For fast reproduction without nmap-tricks it is possible to simply download something really small with bittorrent. Under this condition many packets hitting that criteria are generated and (without the hotfix) pass through the router unNATed. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-02 20:00 UTC
[Bug 554] Packet illegaly bypassing SNAT
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=554 ------- Additional Comments From kaber@trash.net 2007-05-02 20:00 MET ------- Please post the patch you're using. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-02 20:00 UTC
[Bug 554] Packet illegaly bypassing SNAT
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=554 ------- Additional Comments From kaber@trash.net 2007-05-02 20:00 MET ------- Please post the patch you're using. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.