i have a box with 2 real interfaces and one more virtual eth0 - to the internet (193.... eth1 - to the local net (192.168..) tun0 - to another ISP
the routing is: all the free/local classes i send them directly on eth0, the rest of the internet i send throw tun0
the admin from tun0 wants me to snat all the packets with my end of the ip-tun0-interface
and i snat all the trafic that go to local/free nets
the problem is that on the tun0 i see packets with source adr my eth0 and dest somewhere in the internet, and are only acks (i also see nated trafic), why????
ill start with some confs and at the end some descoveryes:
so a "ip rule" looks like:
0: from all lookup local 32516: from 192.168.40.0/24 lookup metro 32517: from 192.168.40.254 lookup tunel 32518: from 192.168.40.253 lookup tunel .......... 32765: from 192.168.40.2 lookup tunel 32766: from all lookup main 32767: from all lookup default
an ip route list table metro have entres like: 84...0/17 via 193. dev eth0
an ip route list table tunel its only a default default via 10.0.1.1 dev tun0
an the main have the directed connected nets and a def throw eth0
the iptables looks:
filter - empty mangle - mark trafic for the tc part nat - only Chain POSTROUTING 481 52825 SNAT all -- * tun0 192.168.40.0/24 0.0.0.0/0 to:10.0.1.2 0 0 SNAT all -- * eth0 192.168.40.100 0.0.0.0/0 to:IP_IF_ETH0 ........................
a tcpdump on tun0 gets tcpdump -i tun0 -n | grep -v 10.0.1.2 IP_IF_ETH0.8181 > 24.129.71.219.42694: ack 2449728106 win 33870 (DF) IP_IF_ETH0.8181 > 24.129.71.219.42694: ack 1 win 33870 (DF) IP_IF_ETH0.8181 > 81.208.36.95.9195: . ack 272319646 win 65225 (DF)
so i begin to put accounting/logging rules in iptables with -s IP_IF_ETH0, i did in nat POSTROUTING, in filter OUTPUT,INPUT,FORWARD, and i got on OUTPUT
Oct 10 04:10:39 kernel: IN= OUT=eth0 SRC=IP_IF_ETH0 DST=83.175.129.103 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8181 DPT=4894 WINDOW=0 RES=0x00 ACK RST URGP=0
so its a localgenerated packet that is marked to get out on eth0, but he gets on tun0. I presumes (pls confirm) that the label of the interface is put by the output_routing, and when he gets to the OUTPUT_conntrack its marked to get out on tun0 but dont modify the label, so he dont match my rule of snat -o tun0
how can i solve the problem, i dont see how, or its the config bad, or a bug :-)))
C _______________________________________________ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
