[pkg-netfilter-team] Bug#877826: FTP with DNAT in PREROUTING and SNAT in POSTROUTING fails
Tom Eastep
teastep at shorewall.net
Fri Oct 6 01:09:24 UTC 2017
Package: iptables
Version: 1.6.0+snapshot20161117-6
Severity: important
When a router needs to forward FTP connections to a local FTP server
with an RFC1918 address whose default gateway is different from the
router, then DNAT must be used in the router's nat PREROUTING chain and
SNAT in the router's nat POSTROUTING chain. This configuration has
worked in the past but now fails.
I am submitting this report against iptables with the understanding that
the problem probably lies in the netfilter kernel components.
I have reproduced this failure in a simple controlled environment.
I apologize for the folded lines below, but my mailer folds long lines
and I did not want to submit this report in HTML format to avoid folding.
Topology is:
gateway (172.20.1.253) - (172.20.1.131) debianvm (172.21.1.10) -
unnamed (172.21.1.11)
An ftp server is running on the unnamed host.
On Debianvm:
root at debianvm:~# ip addr ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 08:00:27:6b:15:3b brd ff:ff:ff:ff:ff:ff
inet 172.20.1.131/24 brd 172.20.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet 172.20.3.1/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe6b:153b/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 08:00:27:7e:93:ba brd ff:ff:ff:ff:ff:ff
inet 172.21.1.10/24 brd 172.21.1.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe7e:93ba/64 scope link
valid_lft forever preferred_lft forever
root at debianvm:~# ip route ls
default via 172.20.1.253 dev eth0 src 172.20.1.131 metric 202
169.254.0.0/16 dev eth1 scope link metric 1000
172.20.1.0/24 dev eth0 proto kernel scope link src 172.20.1.131 metric 202
172.20.1.253 dev eth0 scope link src 172.20.1.131
172.21.1.0/24 dev eth1 proto kernel scope link src 172.21.1.10 metric 203
First, associate the ftp helper with tcp port 21 on Debianvm
root at debianvm:~#
root at debianvm:~# iptables -t raw -A PREROUTING -p 6 --dport 21 -j CT
--helper ftp
root at debianvm:~# for t in raw nat filter; do iptables -t $t -L -n -v; done
Chain PREROUTING (policy ACCEPT 45 packets, 17197 bytes)
pkts bytes target prot opt in out source
destination
0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 CT helper ftp
Chain OUTPUT (policy ACCEPT 42 packets, 4155 bytes)
pkts bytes target prot opt in out source
destination
Chain PREROUTING (policy ACCEPT 4 packets, 1734 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 4 packets, 1734 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 67 packets, 10273 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 67 packets, 10273 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 466 packets, 289K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 516 packets, 69293 bytes)
pkts bytes target prot opt in out source
destination
root at debianvm:~#
On the unnamed host (Not a Debian system)
[root at localhost ~]# hostname
localhost.localdomain
[root at localhost ~]# ip addr ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 08:00:27:a9:d8:95 brd ff:ff:ff:ff:ff:ff
inet 172.21.1.11/24 brd 172.21.1.255 scope global dynamic enp0s3
valid_lft 786sec preferred_lft 786sec
inet6 fe80::4e4d:6fa4:a06b:ca09/64 scope link
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state DOWN qlen 1000
link/ether 52:54:00:ae:2d:63 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master
virbr0 state DOWN qlen 1000
link/ether 52:54:00:ae:2d:63 brd ff:ff:ff:ff:ff:ff
[root at localhost ~]#
FTP access from Debianvm works at this point.
root at debianvm:~# ftp 172.21.1.11
Connected to 172.21.1.11.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 15:28. Server port: 21.
220-Only anonymous FTP is allowed here
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (172.21.1.11:teastep): ftp
230 Anonymous user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.
root at debianvm:~#
Now, lets add a DNAT rule for ftp on Debianvm:
root at debianvm:~# iptables -t nat -A PREROUTING -m conntrack --ctorigdst
172.20.1.131 -j DNAT --to-dest 172.21.1.11
root at debianvm:~# !for
for t in raw nat filter; do iptables -t $t -L -n -v; done
Chain PREROUTING (policy ACCEPT 439 packets, 76677 bytes)
pkts bytes target prot opt in out source
destination
0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 CT helper ftp
Chain OUTPUT (policy ACCEPT 511 packets, 64611 bytes)
pkts bytes target prot opt in out source
destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 172.20.1.131 to:172.21.1.11
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 860 packets, 349K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 985 packets, 130K bytes)
pkts bytes target prot opt in out source
destination
root at debianvm:~#
And observe that ftp from Gateway using Debianvm's external address
works correctly.
root at gateway: ftp -4 172.20.1.131
Connected to debianvm.shorewall.net.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 15:42. Server port: 21.
220-Only anonymous FTP is allowed here
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (debianvm:root): ftp
230 Anonymous user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Connecting to port 39333
drwxr-xr-x 2 0 0 6 Dec 27 2015 .
drwxr-xr-x 2 0 0 6 Dec 27 2015 ..
226-Options: -a -l
226 2 matches total
ftp> ftp -4 debianvm
Connected to debianvm.shorewall.net.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 15:42. Server port: 21.
220-Only anonymous FTP is allowed here
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (debianvm:root): ftp
230 Anonymous user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Connecting to port 39333
drwxr-xr-x 2 0 0 6 Dec 27 2015 .
drwxr-xr-x 2 0 0 6 Dec 27 2015 ..
226-Options: -a -l
226 2 matches total
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (172,20,1,131,156,206)
150 Accepted data connection
drwxr-xr-x 2 0 0 6 Dec 27 2015 .
drwxr-xr-x 2 0 0 6 Dec 27 2015 ..
226-Options: -a -l
226 2 matches total
ftp> quit
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.
root at gateway:~#
tcpdump output on eth1 during a similar session such as this:
tcpdump -ni eth1 proto 6 and port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
17:39:55.208421 IP 172.20.1.253.55310 > 172.21.1.11.21: Flags [S], seq
2787803852, win 29200, options [mss 1460,sackOK,TS val 89033171 ecr
0,nop,wscale 7], length 0
17:39:55.208886 IP 172.21.1.11.21 > 172.20.1.253.55310: Flags [S.], seq
3636643523, ack 2787803853, win 28960, options [mss 1460,sackOK,TS val
98441 ecr 89033171,nop,wscale 7], length 0
17:39:55.210615 IP 172.20.1.253.55310 > 172.21.1.11.21: Flags [.], ack
1, win 229, options [nop,nop,TS val 89033172 ecr 98441], length 0
17:39:55.212523 IP 172.21.1.11.21 > 172.20.1.253.55310: Flags [P.], seq
1:310, ack 1, win 227, options [nop,nop,TS val 98445 ecr 89033172],
length 309: FTP: 220---------- Welcome to Pure-FTPd [privsep] [TLS]
----------
17:39:55.213780 IP 172.20.1.253.55310 > 172.21.1.11.21: Flags [.], ack
310, win 237, options [nop,nop,TS val 89033173 ecr 98445], length 0
17:39:58.463114 IP 172.20.1.253.55310 > 172.21.1.11.21: Flags [P.], seq
1:11, ack 310, win 237, options [nop,nop,TS val 89033985 ecr 98445],
length 10: FTP: USER ftp
17:39:58.463590 IP 172.21.1.11.21 > 172.20.1.253.55310: Flags [.], ack
11, win 227, options [nop,nop,TS val 101698 ecr 89033985], length 0
17:39:58.464421 IP 172.21.1.11.21 > 172.20.1.253.55310: Flags [P.], seq
310:340, ack 11, win 227, options [nop,nop,TS val 101699 ecr 89033985],
length 30: FTP: 230 Anonymous user logged in
17:39:58.465313 IP 172.20.1.253.55310 > 172.21.1.11.21: Flags [.], ack
340, win 237, options [nop,nop,TS val 89033985 ecr 101699], length 0
17:39:58.465346 IP 172.20.1.253.55310 > 172.21.1.11.21: Flags [P.], seq
11:17, ack 340, win 237, options [nop,nop,TS val 89033985 ecr 101699],
length 6: FTP: SYST
17:39:58.465875 IP 172.21.1.11.21 > 172.20.1.253.55310: Flags [P.], seq
340:359, ack 17, win 227, options [nop,nop,TS val 101701 ecr 89033985],
length 19: FTP: 215 UNIX Type: L8
17:39:58.509807 IP 172.20.1.253.55310 > 172.21.1.11.21: Flags [.], ack
359, win 237, options [nop,nop,TS val 89033997 ecr 101701], length 0
17:40:00.551839 IP 172.20.1.253.55310 > 172.21.1.11.21: Flags [P.], seq
17:23, ack 359, win 237, options [nop,nop,TS val 89034507 ecr 101701],
length 6: FTP: QUIT
17:40:00.552478 IP 172.21.1.11.21 > 172.20.1.253.55310: Flags [P.], seq
359:426, ack 23, win 227, options [nop,nop,TS val 103788 ecr 89034507],
length 67: FTP: 221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
17:40:00.553286 IP 172.21.1.11.21 > 172.20.1.253.55310: Flags [F.], seq
426, ack 23, win 227, options [nop,nop,TS val 103789 ecr 89034507], length 0
17:40:00.553798 IP 172.20.1.253.55310 > 172.21.1.11.21: Flags [.], ack
426, win 237, options [nop,nop,TS val 89034507 ecr 103788], length 0
17:40:00.553856 IP 172.20.1.253.55310 > 172.21.1.11.21: Flags [F.], seq
23, ack 426, win 237, options [nop,nop,TS val 89034507 ecr 103788], length 0
17:40:00.553865 IP 172.20.1.253.55310 > 172.21.1.11.21: Flags [.], ack
427, win 237, options [nop,nop,TS val 89034508 ecr 103789], length 0
17:40:00.554260 IP 172.21.1.11.21 > 172.20.1.253.55310: Flags [.], ack
24, win 227, options [nop,nop,TS val 103790 ecr 89034507], length 0
Now also add an SNAT rule. Again, this is required in cases where an
internal FTP server has a default gateway that is different from the
system where DNAT occurs.
root at debianvm:~# iptables -t nat -A POSTROUTING -d 172.21.1.11 -p tcp
--dport 21 -j SNAT --to-source 172.21.1.10
Check that SNAT occurs from Debianvm:
root at debianvm:~# ftp 172.21.1.11
Connected to 172.21.1.11.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 15:45. Server port: 21.
220-Only anonymous FTP is allowed here
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (172.21.1.11:teastep): ftp
230 Anonymous user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Connecting to port 59787
drwxr-xr-x 2 0 0 6 Dec 27 2015 .
drwxr-xr-x 2 0 0 6 Dec 27 2015 ..
226-Options: -a -l
226 2 matches total
ftp> quit
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.
root at debianvm:~# !for
for t in raw nat filter; do iptables -t $t -L -n -v; done
Chain PREROUTING (policy ACCEPT 3863 packets, 1483K bytes)
pkts bytes target prot opt in out source
destination
34 1912 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 CT helper ftp
Chain OUTPUT (policy ACCEPT 4509 packets, 571K bytes)
pkts bytes target prot opt in out source
destination
Chain PREROUTING (policy ACCEPT 2 packets, 189 bytes)
pkts bytes target prot opt in out source
destination
2 120 DNAT all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 172.20.1.131 to:172.21.1.11
Chain INPUT (policy ACCEPT 2 packets, 189 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 3 packets, 460 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 2 packets, 400 bytes)
pkts bytes target prot opt in out source
destination
1 60 SNAT tcp -- * * 0.0.0.0/0
172.21.1.11 tcp dpt:21 to:172.21.1.10 <==== SNAT rule was hit.
Chain INPUT (policy ACCEPT 4207 packets, 1750K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 77 packets, 5673 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 4983 packets, 636K bytes)
pkts bytes target prot opt in out source
destination
root at debianvm:~#
But now, attempting to connect from gateway via Debianvm times out!!
root at gateway:~# ftp -4 172.20.1.131
ftp: connect: Connection timed out
ftp> quit
root at gateway:~#
Get a trace of what is happening:
root at debianvm:~# iptables -t raw -A PREROUTING -p tcp --dport 21 -j TRACE
root at debianvm:~# !for
for t in raw nat filter; do iptables -t $t -L -n -v; done
Chain PREROUTING (policy ACCEPT 2 packets, 104 bytes)
pkts bytes target prot opt in out source
destination
38 2152 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 CT helper ftp
0 0 TRACE tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
Chain OUTPUT (policy ACCEPT 2 packets, 240 bytes)
pkts bytes target prot opt in out source
destination
Chain PREROUTING (policy ACCEPT 5 packets, 1857 bytes)
pkts bytes target prot opt in out source
destination
6 360 DNAT all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 172.20.1.131 to:172.21.1.11
Chain INPUT (policy ACCEPT 5 packets, 1857 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 34 packets, 5362 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 33 packets, 5302 bytes)
pkts bytes target prot opt in out source
destination
5 300 SNAT tcp -- * * 0.0.0.0/0
172.21.1.11 tcp dpt:21 to:172.21.1.10
Chain INPUT (policy ACCEPT 5169 packets, 2075K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 81 packets, 5913 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 6163 packets, 769K bytes)
pkts bytes target prot opt in out source
destination
root at debianvm:~# fgrep TRACE /var/log/syslog
Oct 5 15:59:01 debianvm kernel: [ 2725.899816] TRACE:
raw:PREROUTING:policy:3 IN=eth0 OUT=
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.20.1.131 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59652 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053771DA0000000001030307)
Oct 5 15:59:01 debianvm kernel: [ 2725.899855] TRACE:
mangle:PREROUTING:policy:1 IN=eth0 OUT=
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.20.1.131 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59652 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053771DA0000000001030307)
Oct 5 15:59:01 debianvm kernel: [ 2725.899876] TRACE:
nat:PREROUTING:rule:1 IN=eth0 OUT=
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.20.1.131 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59652 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053771DA0000000001030307)
Oct 5 15:59:01 debianvm kernel: [ 2725.899913] TRACE:
mangle:FORWARD:policy:1 IN=eth0 OUT=eth1
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.21.1.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59652 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053771DA0000000001030307)
Oct 5 15:59:01 debianvm kernel: [ 2725.899933] TRACE:
filter:FORWARD:policy:1 IN=eth0 OUT=eth1
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.21.1.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59652 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053771DA0000000001030307)
Oct 5 15:59:01 debianvm kernel: [ 2725.899951] TRACE:
mangle:POSTROUTING:policy:1 IN= OUT=eth1 SRC=172.20.1.253
DST=172.21.1.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59652 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053771DA0000000001030307)
Oct 5 15:59:01 debianvm kernel: [ 2725.899968] TRACE:
nat:POSTROUTING:rule:1 IN= OUT=eth1 SRC=172.20.1.253 DST=172.21.1.11
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59652 DF PROTO=TCP SPT=55226 DPT=21
SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT
(020405B40402080A053771DA0000000001030307)
Oct 5 15:59:02 debianvm kernel: [ 2726.914567] TRACE:
raw:PREROUTING:policy:3 IN=eth0 OUT=
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.20.1.131 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59653 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053772D80000000001030307)
Oct 5 15:59:02 debianvm kernel: [ 2726.914661] TRACE:
mangle:PREROUTING:policy:1 IN=eth0 OUT=
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.20.1.131 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59653 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053772D80000000001030307)
Oct 5 15:59:02 debianvm kernel: [ 2726.914727] TRACE:
nat:PREROUTING:rule:1 IN=eth0 OUT=
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.20.1.131 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59653 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053772D80000000001030307)
Oct 5 15:59:02 debianvm kernel: [ 2726.914805] TRACE:
mangle:FORWARD:policy:1 IN=eth0 OUT=eth1
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.21.1.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59653 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053772D80000000001030307)
Oct 5 15:59:02 debianvm kernel: [ 2726.914859] TRACE:
filter:FORWARD:policy:1 IN=eth0 OUT=eth1
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.21.1.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59653 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053772D80000000001030307)
Oct 5 15:59:02 debianvm kernel: [ 2726.914907] TRACE:
mangle:POSTROUTING:policy:1 IN= OUT=eth1 SRC=172.20.1.253
DST=172.21.1.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59653 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053772D80000000001030307)
Oct 5 15:59:02 debianvm kernel: [ 2726.914954] TRACE:
nat:POSTROUTING:rule:1 IN= OUT=eth1 SRC=172.20.1.253 DST=172.21.1.11
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59653 DF PROTO=TCP SPT=55226 DPT=21
SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT
(020405B40402080A053772D80000000001030307)
Oct 5 15:59:04 debianvm kernel: [ 2728.930517] TRACE:
raw:PREROUTING:policy:3 IN=eth0 OUT=
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.20.1.131 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59654 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053774D00000000001030307)
Oct 5 15:59:04 debianvm kernel: [ 2728.930603] TRACE:
mangle:PREROUTING:policy:1 IN=eth0 OUT=
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.20.1.131 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59654 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053774D00000000001030307)
Oct 5 15:59:04 debianvm kernel: [ 2728.930655] TRACE:
nat:PREROUTING:rule:1 IN=eth0 OUT=
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.20.1.131 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59654 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053774D00000000001030307)
Oct 5 15:59:04 debianvm kernel: [ 2728.930729] TRACE:
mangle:FORWARD:policy:1 IN=eth0 OUT=eth1
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.21.1.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59654 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053774D00000000001030307)
Oct 5 15:59:04 debianvm kernel: [ 2728.930778] TRACE:
filter:FORWARD:policy:1 IN=eth0 OUT=eth1
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.21.1.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59654 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053774D00000000001030307)
Oct 5 15:59:04 debianvm kernel: [ 2728.930821] TRACE:
mangle:POSTROUTING:policy:1 IN= OUT=eth1 SRC=172.20.1.253
DST=172.21.1.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59654 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053774D00000000001030307)
Oct 5 15:59:04 debianvm kernel: [ 2728.930902] TRACE:
nat:POSTROUTING:rule:1 IN= OUT=eth1 SRC=172.20.1.253 DST=172.21.1.11
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59654 DF PROTO=TCP SPT=55226 DPT=21
SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT
(020405B40402080A053774D00000000001030307)
Oct 5 15:59:08 debianvm kernel: [ 2732.971228] TRACE:
raw:PREROUTING:policy:3 IN=eth0 OUT=
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.20.1.131 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59655 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053778C00000000001030307)
Oct 5 15:59:08 debianvm kernel: [ 2732.971287] TRACE:
mangle:PREROUTING:policy:1 IN=eth0 OUT=
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.20.1.131 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59655 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053778C00000000001030307)
Oct 5 15:59:08 debianvm kernel: [ 2732.971319] TRACE:
nat:PREROUTING:rule:1 IN=eth0 OUT=
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.20.1.131 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59655 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053778C00000000001030307)
Oct 5 15:59:08 debianvm kernel: [ 2732.971365] TRACE:
mangle:FORWARD:policy:1 IN=eth0 OUT=eth1
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.21.1.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59655 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053778C00000000001030307)
Oct 5 15:59:08 debianvm kernel: [ 2732.971402] TRACE:
filter:FORWARD:policy:1 IN=eth0 OUT=eth1
MAC=08:00:27:6b:15:3b:08:2e:5f:2d:1e:7d:08:00 SRC=172.20.1.253
DST=172.21.1.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59655 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053778C00000000001030307)
Oct 5 15:59:08 debianvm kernel: [ 2732.971432] TRACE:
mangle:POSTROUTING:policy:1 IN= OUT=eth1 SRC=172.20.1.253
DST=172.21.1.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59655 DF PROTO=TCP
SPT=55226 DPT=21 SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0
OPT (020405B40402080A053778C00000000001030307)
Oct 5 15:59:08 debianvm kernel: [ 2732.971461] TRACE:
nat:POSTROUTING:rule:1 IN= OUT=eth1 SRC=172.20.1.253 DST=172.21.1.11
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59655 DF PROTO=TCP SPT=55226 DPT=21
SEQ=3533281502 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT
(020405B40402080A053778C00000000001030307)
root at debianvm:~#
Let's see what is happening on Debianvm's internal interface during this
time:
root at debianvm:~# tcpdump -ni eth1 proto 6 and port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
root at debianvm:~# iptables -t nat -D POSTROUTING -d 172.21.1.11 -p tcp
--dport 21 -j SNAT --to-source 172.21.1.10
root at debianvm:~#
So the packets are being effectively dropped on Debianvm.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-netfilter-team/attachments/20171005/65f02aa7/attachment-0001.sig>
More information about the pkg-netfilter-team
mailing list