Interesting iptables problem

01-21-2005, 04:34 PM

Hey all, I've been working on trying to get an ipsec tunnel to work
through a linux gateway using either masquerade or snat. What is really
confusing me here is that *sometimes* it does what it is supposed to do,
and sometimes it doesn't. My setup is as follows:

vpn appliacne (wan) -> (eth2) router (eth1) -> Internet (T1)
(lan) (eth0)
| |
--------------------- 48 Port Switch

Local lan and vpn appliance wan are on a 10.1.2.0/24 network
VPN appliance WAN and router eth2 are on a 169.254.1.0/30 network

The router is doing NAT (Masquerade) on both the 10. and 169. networks
accordingly.

I wrote this small script to see what was happening:

#!/bin/bash

iptables -I INPUT 1 -p 50 -j LOG --log-prefix 'filter-input-esp ' --log-level 1
iptables -I FORWARD 1 -p 50 -j LOG --log-prefix 'filter-forward-esp ' --log-level 1
iptables -A OUTPUT -p 50 -j LOG --log-prefix 'filter-output-esp ' --log-level 1
iptables -t nat -I PREROUTING 1 -p 50 -j LOG --log-prefix 'nat-preroute-esp ' --log-level 1
iptables -t nat -I POSTROUTING 1 -p 50 -j LOG --log-prefix 'nat-postroute-esp ' --log-level 1
iptables -t nat -I OUTPUT 1 -p 50 -j LOG --log-prefix 'nat-output-esp ' --log-level 1
iptables -t mangle -I INPUT 1 -p 50 -j LOG --log-prefix 'mangle-input-esp ' --log-level 1
iptables -t mangle -I PREROUTING 1 -p 50 -j LOG --log-prefix 'mangle-preroute-esp ' --log-level 1
iptables -t mangle -I FORWARD 1 -p 50 -j LOG --log-prefix 'mangle-forward-esp ' --log-level 1
iptables -t mangle -I OUTPUT 1 -p 50 -j LOG --log-prefix 'mangle-output-esp ' --log-level 1
iptables -t mangle -I POSTROUTING 1 -p 50 -j LOG --log-prefix 'mangle-postroute-esp ' --log-level 1
iptables -t raw -I PREROUTING 1 -p 50 -j LOG --log-prefix 'raw-preroute-esp ' --log-level 1
iptables -t raw -I OUTPUT 1 -p 50 -j LOG --log-prefix 'raw-output-esp ' \
--log-level 1

and here is what I got out:
# First Ping
Jan 21 12:26:02 hsskw kernel: raw-preroute-esp IN=eth2 OUT=
MAC=00:40:f4:23:0c:00:00:11:f9:3a:c1:4c:08:00 SRC=169.254.1.2
DST=ENDPOINT LEN=152 TOS=0x00 PREC=0x00 TTL=255 ID=4893 PROTO=ESP
SPI=0x638d8e8d

Jan 21 12:26:02 hsskw kernel: mangle-preroute-esp IN=eth2
OUT= MAC=00:40:f4:23:0c:00:00:11:f9:3a:c1:4c:08:00 SRC=169.254.1.2
DST=ENDPOINT LEN=152 TOS=0x00 PREC=0x00 TTL=255 ID=4893 PROTO=ESP
SPI=0x638d8e8d

Jan 21 12:26:02 hsskw kernel: nat-preroute-esp IN=eth2 OUT=
MAC=00:40:f4:23:0c:00:00:11:f9:3a:c1:4c:08:00 SRC=169.254.1.2
DST=ENDPOINT LEN=152 TOS=0x00 PREC=0x00 TTL=255 ID=4893 PROTO=ESP
SPI=0x638d8e8d

Jan 21 12:26:02 hsskw kernel: mangle-forward-esp IN=eth2
OUT=eth1 SRC=169.254.1.2 DST=ENDPOINT LEN=152 TOS=0x00 PREC=0x00
TTL=254 ID=4893 PROTO=ESP SPI=0x638d8e8d

Jan 21 12:26:02 hsskw kernel:
filter-forward-esp IN=eth2 OUT=eth1 SRC=169.254.1.2 DST=ENDPOINT
LEN=152 TOS=0x00 PREC=0x00 TTL=254 ID=4893 PROTO=ESP SPI=0x638d8e8d

Jan 21 12:26:02 hsskw kernel: mangle-postroute-esp IN= OUT=eth1
SRC=169.254.1.2 DST=ENDPOINT LEN=152 TOS=0x00 PREC=0x00 TTL=254
ID=4893 PROTO=ESP SPI=0x638d8e8d

Jan 21 12:26:02 hsskw kernel:nat-postroute-esp IN= OUT=eth1
SRC=169.254.1.2 DST=ENDPOINT LEN=152 TOS=0x00 PREC=0x00 TTL=254
ID=4893 PROTO=ESP SPI=0x638d8e8d

Second Ping:
Jan 21 12:26:03 hsskw kernel: raw-preroute-esp IN=eth2 OUT=
MAC=00:40:f4:23:0c:00:00:11:f9:3a:c1:4c:08:00 SRC=169.254.1.2
DST=ENDPOINT LEN=152 TOS=0x00 PREC=0x00 TTL=255 ID=4894 PROTO=ESP
SPI=0x638d8e8d

Jan 21 12:26:03 hsskw kernel: mangle-preroute-esp IN=eth2
OUT= MAC=00:40:f4:23:0c:00:00:11:f9:3a:c1:4c:08:00 SRC=169.254.1.2
DST=ENDPOINT LEN=152 TOS=0x00 PREC=0x00 TTL=255 ID=4894 PROTO=ESP
SPI=0x638d8e8d

Jan 21 12:26:03 hsskw kernel: mangle-forward-esp IN=eth2
OUT=eth1 SRC=169.254.1.2 DST=ENDPOINT LEN=152 TOS=0x00 PREC=0x00
TTL=254 ID=4894 PROTO=ESP SPI=0x638d8e8d

Jan 21 12:26:03 hsskw kernel: filter-forward-esp IN=eth2 OUT=eth1
SRC=169.254.1.2 DST=ENDPOINT LEN=152 TOS=0x00 PREC=0x00 TTL=254
ID=4894 PROTO=ESP SPI=0x638d8e8d

Jan 21 12:26:03 hsskw kernel: mangle-postroute-esp IN= OUT=eth1
SRC=169.254.1.2 DST=ENDPOINT LEN=152 TOS=0x00 PREC=0x00 TTL=254
ID=4894 PROTO=ESP SPI=0x638d8e8d

So as you can see, it is completely skipping the NAT table 90% of the
time. Anybody have any clues about this?

Ed.

01-28-2005, 10:13 PM

On 2005-01-21, Ed McLain <(E-Mail Removed)> wrote:
>
> [snipped]
>
> So as you can see, it is completely skipping the NAT table 90% of the
> time. Anybody have any clues about this?
>
if you look in the spiel from:

# watch -n1 'iptables -t nat -nvL'

you will see the packet counters increasing for the _chain_ but not the
rules. NAT rules (rules in the 'nat' table) really only apply to first time
establishing connections; the first packet. After this the rules are not
invoked anymore and everything is handled with conntrack in the other
tables/chains.

Cheers

Alex

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
interesting problem and help me out	harry	Windows Networking	2	11-18-2008 03:40 PM
I have an interesting problem	Schizoid Man	Wireless Internet	25	11-06-2004 01:17 PM
Interesting problem	Russell Versteeg	Windows Networking	3	10-28-2004 03:55 PM
Interesting VPN problem.	Kerem Tuzemen	Linux Networking	2	11-21-2003 03:13 PM
Interesting Problem?	Wayne Wengert	Wireless Internet	5	11-12-2003 09:58 PM