Iptables or routing issue

Discussion in 'Linux Networking' started by Dirk Stöcker, Nov 14, 2012.

  1. Hello,

    I have a problem either with iptables or routing or any other related
    component.

    Any help to fix this issue or to give me a hint why it does not work would
    help.

    The same setup worked on older systems, but not on the openSUSE 12.2
    system with kernel 3.4.6 64 bit.

    Hardware:
    - one PC running openSUSE
    - multiple serial ports
    - on each serial port is a device with ppp capabilities
    - hardcoded IPs aren't changeable
    - device IP is 192.168.171.1
    - host IP is 192.168.171.2

    Now the problem is that both have same IP setup.

    Solution: Using routing tables and iptables the IP's are mapped into the
    range 10.0.port.1, where port is the serial port number (or ppp device
    number).

    Problem:
    For the first connected IP this setup works. For the second IP it seems
    incominmg packets are lost. I see the packets in "mangle" prerouting, but
    not in any later step. For the first connecting the are properly handled
    and delivered.

    I have following iptables rules to get my setup working.

    a) nat Chain OUTPUT (policy ACCEPT)
    DNAT all -- 0.0.0.0/0 10.0.11.1 to:192.168.171.1
    DNAT all -- 0.0.0.0/0 10.0.13.1 to:192.168.171.1

    nat Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    SNAT all -- 0.0.0.0/0 192.168.171.1 mark match 0x6f to:192.168.171.2
    SNAT all -- 0.0.0.0/0 192.168.171.1 mark match 0x71 to:192.168.171.2

    mangle Chain OUTPUT (policy ACCEPT)
    MARK all -- 0.0.0.0/0 10.0.11.0/24 MARK set 0x6f
    MARK all -- 0.0.0.0/0 10.0.13.0/24 MARK set 0x71

    b) ip rule show
    0: from all lookup local
    32764: from all fwmark 0x71 lookup 113
    32765: from all fwmark 0x6f lookup 111
    32766: from all lookup main
    32767: from all lookup default

    c)
    /proc/sys/net/ipv4/ip_forward is 1

    d) ip addr show
    305: ppp11: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 3
    link/ppp
    inet 192.168.171.2 peer 192.168.171.1/32 scope global ppp11
    307: ppp13: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 3
    link/ppp
    inet 192.168.171.2 peer 192.168.171.1/32 scope global ppp13

    e) ip route show
    default via 192.168.1.1 dev eth0
    10.0.11.0/24 dev ppp11 scope link
    10.0.13.0/24 dev ppp13 scope link
    127.0.0.0/8 dev lo scope link
    169.254.0.0/16 dev eth0 scope link
    192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.35
    192.168.171.1 dev ppp11 proto kernel scope link src 192.168.171.2
    192.168.171.1 dev ppp13 proto kernel scope link src 192.168.171.2
    DEV PPPD Table 111 : default dev ppp11 scope link
    DEV PPPD Table 113 : default dev ppp13 scope link

    Now when I ping to "10.0.11.1" it works correctly and I get a reply.

    Nov 14 19:28:52 misc-carpc-tc kernel: [11174.720180] ***MA OUT 1***IN= OUT=ppp11 SRC=192.168.171.2 DST=10.0.11.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14769 SEQ=1
    Nov 14 19:28:52 misc-carpc-tc kernel: [11174.720185] ***MA OUT 2***IN= OUT=ppp11 SRC=192.168.171.2 DST=10.0.11.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14769 SEQ=1 MARK=0x6f
    Nov 14 19:28:52 misc-carpc-tc kernel: [11174.720194] ***NA OUT 1***IN= OUT=ppp11 SRC=192.168.171.2 DST=10.0.11.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14769 SEQ=1 MARK=0x6f
    Nov 14 19:28:52 misc-carpc-tc kernel: [11174.720202] ***-- OUT 1***IN= OUT=ppp11 SRC=192.168.171.2 DST=192.168.171.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14769 SEQ=1 MARK=0x6f
    Nov 14 19:28:52 misc-carpc-tc kernel: [11174.720206] ***MA POS 1***IN= OUT=ppp11 SRC=192.168.171.2 DST=192.168.171.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14769 SEQ=1 MARK=0x6f
    Nov 14 19:28:52 misc-carpc-tc kernel: [11174.720210] ***NA POS 1***IN= OUT=ppp11 SRC=192.168.171.2 DST=192.168.171.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14769 SEQ=1 MARK=0x6f
    Nov 14 19:28:52 misc-carpc-tc kernel: [11174.741598] ***MA PRE 1***IN=ppp11 OUT= MAC= SRC=192.168.171.1 DST=192.168.171.2 LEN=84 TOS=0x00 PREC=0x00 TTL=255 ID=17034 DF PROTO=ICMP TYPE=0 CODE=0 ID=14769 SEQ=1
    Nov 14 19:28:52 misc-carpc-tc kernel: [11174.741618] ***MA INP 1***IN=ppp11 OUT= MAC= SRC=192.168.171.1 DST=192.168.171.2 LEN=84 TOS=0x00 PREC=0x00 TTL=255 ID=17034 DF PROTO=ICMP TYPE=0 CODE=0 ID=14769 SEQ=1
    Nov 14 19:28:52 misc-carpc-tc kernel: [11174.741629] ***-- INP 1***IN=ppp11 OUT= MAC= SRC=192.168.171.1 DST=192.168.171.2 LEN=84 TOS=0x00 PREC=0x00 TTL=255 ID=17034 DF PROTO=ICMP TYPE=0 CODE=0 ID=14769 SEQ=1

    But a ping to "10.0.13.1" goes out correctly, but the reply is lost after
    passing mangle PREROUTING chain and never comes to mangle input.

    Why?

    Nov 14 19:29:00 misc-carpc-tc kernel: [11182.726366] ***MA OUT 1***IN= OUT=ppp13 SRC=192.168.171.2 DST=10.0.13.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14781 SEQ=1
    Nov 14 19:29:00 misc-carpc-tc kernel: [11182.726371] ***MA OUT 2***IN= OUT=ppp13 SRC=192.168.171.2 DST=10.0.13.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14781 SEQ=1 MARK=0x71
    Nov 14 19:29:00 misc-carpc-tc kernel: [11182.726381] ***NA OUT 1***IN= OUT=ppp13 SRC=192.168.171.2 DST=10.0.13.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14781 SEQ=1 MARK=0x71
    Nov 14 19:29:00 misc-carpc-tc kernel: [11182.726389] ***-- OUT 1***IN= OUT=ppp13 SRC=192.168.171.2 DST=192.168.171.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14781 SEQ=1 MARK=0x71
    Nov 14 19:29:00 misc-carpc-tc kernel: [11182.726393] ***MA POS 1***IN= OUT=ppp13 SRC=192.168.171.2 DST=192.168.171.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14781 SEQ=1 MARK=0x71
    Nov 14 19:29:00 misc-carpc-tc kernel: [11182.726398] ***NA POS 1***IN= OUT=ppp13 SRC=192.168.171.2 DST=192.168.171.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14781 SEQ=1 MARK=0x71
    Nov 14 19:29:00 misc-carpc-tc kernel: [11182.745389] ***MA PRE 1***IN=ppp13 OUT= MAC= SRC=192.168.171.1 DST=192.168.171.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1400 DF PROTO=ICMP TYPE=0 CODE=0 ID=14781 SEQ=1

    Additional note: the log is created with LOG entries in all the tables.

    MA (mangle), NA (nat), -- (filter)
    OUT (OUTPUT), POS (POSTROUTING), PRE (PREROUTING), INP (INPUT)
    1 (begin of table), 2 (after all rules)

    Ciao
     
    Dirk Stöcker, Nov 14, 2012
    #1
    1. Advertisements

  2. Hello,

    Dirk Stöcker a écrit :
    Check that rp_filter is disabled for the PPP interfaces.
    Note that the logic combining net.ipv4.conf.all.rp_filter and
    net.ipv4.conf.<interface>.rp_filter has changed at some point of the
    kernel development.
     
    Pascal Hambourg, Nov 16, 2012
    #2
    1. Advertisements

  3. Thanks a lot. That was the right hint for me and solved the issue.

    Slight modification: I need a

    echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter

    as this settings was 0 for individual interfaces already.

    Ciao
     
    Dirk Stöcker, Nov 16, 2012
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.