SNAT not working with iproute source routing

Hello

I`ve been trying to connect second dsl to my gentoo router and I have a problem.
Routing is working fine but it seems that when I try to SNAT (or MASQUERADE) packets incoming from one of my computers to public ip of my second isp, they seems to be corrupted! Maybe these tcpdump`s results might help.

At first I ping one of popular site without SNAT/MASQUERADE turned on

$ tcpdump -qnn -i ppp0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 68 bytes
18:47:26.128472 IP 192.168.1.4 > 212.77.100.101: icmp 64: echo request seq 1
18:47:27.128007 IP 192.168.1.4 > 212.77.100.101: icmp 64: echo request seq 2
18:47:28.127994 IP 192.168.1.4 > 212.77.100.101: icmp 64: echo request seq 3

So as You can see it`s ok.
Now when I turn on SNAT or MASQUERADE (i have dynamic ip on ppp0) by typing
iptables -t nat -I POSTROUTING -o ppp0 -s 192.168.1.4 -j MASQUERADE #for masq.
or
iptables -t nat -I POSTROUTING -o ppp0 -s 192.168.1.4 -j SNAT --to-source MY_PUBLIC_DYNAMIC_IP #for SNAT

Then the tcpdump shows:
$ tcpdump -qnn -i ppp0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 68 bytes
18:49:41.201973 IP0 bad-hlen 0
18:49:42.202017 IP0 bad-hlen 0
18:49:43.201979 IP0 bad-hlen 0

And that`s no good :/ I`ve analyzed these packets and they really doesn`t have ip version set or header length!
It`s very strange for me-I`ve never seen anything like that before-iptables destroying packets

I would appreciate if someone would tell me what`s going on or where to look for.
My kernel is 2.6.10 with gentoo-hardened patches, iptables ver. 1.2.11.

Greetings
Tomasz Cholewa

On Sat, 05 Feb 2005 10:42:13 GMT
Tomasz Cholewa <(E-Mail Removed)> wrote:

> Hello
>
> I`ve been trying to connect second dsl to my gentoo router and I have a problem.
> Routing is working fine but it seems that when I try to SNAT (or MASQUERADE) packets incoming from one of my computers to public ip of my second isp, they seems to be corrupted! Maybe these tcpdump`s results might help.
>
> At first I ping one of popular site without SNAT/MASQUERADE turned on
>
> $ tcpdump -qnn -i ppp0
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 68 bytes
> 18:47:26.128472 IP 192.168.1.4 > 212.77.100.101: icmp 64: echo request seq 1
> 18:47:27.128007 IP 192.168.1.4 > 212.77.100.101: icmp 64: echo request seq 2
> 18:47:28.127994 IP 192.168.1.4 > 212.77.100.101: icmp 64: echo request seq 3
>
> So as You can see it`s ok.
> Now when I turn on SNAT or MASQUERADE (i have dynamic ip on ppp0) by typing
> iptables -t nat -I POSTROUTING -o ppp0 -s 192.168.1.4 -j MASQUERADE #for masq.
> or
> iptables -t nat -I POSTROUTING -o ppp0 -s 192.168.1.4 -j SNAT --to-source MY_PUBLIC_DYNAMIC_IP #for SNAT
>
> Then the tcpdump shows:
> $ tcpdump -qnn -i ppp0
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 68 bytes
> 18:49:41.201973 IP0 bad-hlen 0
> 18:49:42.202017 IP0 bad-hlen 0
> 18:49:43.201979 IP0 bad-hlen 0
>
Hi
I`ve found a solution. Well I`ve been using the hardened-dev-sources ebuild on my gentoo machine, so I had a kernel with some security pathces (2.6.10) and when I switched to normal kernel (also 2.6.10) everything started to work! So I had to choose-security or working source rouitng with SNAT.
Now I`m waiting for guys from hardened gentoo project to fix this problem.

Greets
Tomasz Cholewa