Re: [Shorewall-users] Difficult NAT problem

Tom Eastep Fri, 04 May 2018 16:47:03 -0700

On 05/04/2018 11:19 AM, Norman Henderson wrote:
> Hello again Tom, After a busy week I got back to this and I have some
> interesting data. After a bit more than 2 hours of monitoring, in
> tcpdump I found the time that the first packets start to be directed
> (inappropriately) via wlan1 to the address that was the original
> destination, 10.1.0.252.
> Around that time I found the following conntrack -E entries (readable
> times added):
>
> 08:47:57 [1525420077.899523][DESTROY] udp      17 src=10.1.0.3
> dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40
> sport=5060 dport=5060 [ASSURED] delta-time=1423
> 08:48:14 [1525420094.949138]    [NEW] udp      17 3607 src=10.1.0.3
> dst=10.1.0.252 sport=5060 dport=5060 [UNREPLIED] src=192.168.1.35
> dst=192.168.1.40 sport=5060 dport=5060 helper=sip
> 08:48:39 [1525420119.414182][UPDATE] udp      17 3600 src=10.1.0.3
> dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40
> sport=5060 dport=5060 helper=sip
> 08:48:39 [1525420119.414356][UPDATE] udp      17 3600 src=10.1.0.3
> dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40
> sport=5060 dport=5060 [ASSURED] helper=sip
> 09:04:39 [1525421079.191758][DESTROY] udp      17 src=10.1.0.3
> dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40
> sport=5060 dport=5060 [ASSURED] delta-time=985
> 09:04:39 [1525421079.791446]    [NEW] udp      17 3613 src=10.1.0.3
> dst=10.1.0.252 sport=5060 dport=5060 [UNREPLIED] src=192.168.1.35
> dst=10.1.0.3 sport=5060 dport=5060 helper=sip
> Suddenly the DST address is different.
>
> The corresponding tcpdump data on vlan1 is:
> 09:03:12.540129 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: REGISTER
> sip:10.1.0.252 SIP/2.0
> 09:03:12.570423 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 200 OK
> 09:03:14.969710 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP
> 09:03:39.763456 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
> sip:10.1.0.252 SIP/2.0
> 09:03:39.790185 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 504
> Server Time-out
> 09:03:39.790307 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 504
> Server Time-out
> 09:03:39.790426 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 504
> Server Time-out
> 09:04:14.970098 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP
> 09:04:39.791168 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
> sip:10.1.0.252 SIP/2.0
> 09:04:39.791424 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> 09:04:40.791264 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
> sip:10.1.0.252 SIP/2.0
> 09:04:40.791467 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> 09:04:41.790606 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
> sip:10.1.0.252 SIP/2.0
> 09:04:41.790809 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> 09:04:42.791197 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
> sip:10.1.0.252 SIP/2.0
> 09:04:42.791402 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> 09:04:43.790635 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
> sip:10.1.0.252 SIP/2.0
> 09:04:43.790846 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> 09:04:53.791447 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
> sip:10.1.0.252 SIP/2.0
> Before and after that section, the addresses on vlan1 are always
> 10.1.0.3 and 10.1.0.252 as they should be.
>
> I also was running tcpdump on wlan1:
> (earlier entries are all between 192.168.1.40 and 192.168.1.35)
> 09:04:14.970293 IP 192.168.1.40.5060 > 192.168.1.35.5060: SIP
> 09:04:53.791704 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> 09:04:54.791616 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> 09:04:55.792774 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> (subsequent entries are all from 10.1.0.3 to 192.168.1.35 without
> responses)
>
> The most interesting part perhaps is syslog, including the output of
> shorewall iptrace -p udp --destination-port 5060:
> May  4 09:04:09 voyage3 dhclient[1664]: DHCPREQUEST of 192.168.1.40 on
> wlan1 to 192.168.1.35 port 67 (xid=0x5104a2ea)
> May  4 09:04:14 voyage3 kernel: [477354.231212] TRACE:
> raw:PREROUTING:rule:13 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=31 TOS=0x00 PREC=0x60
>  TTL=64 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
> May  4 09:04:14 voyage3 kernel: [477354.231243] TRACE:
> raw:PREROUTING:policy:14 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=31 TOS=0x00 PREC=0x
> 60 TTL=64 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
> May  4 09:04:14 voyage3 kernel: [477354.231267] TRACE:
> mangle:PREROUTING:policy:1 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=31 TOS=0x00 PREC=
> 0x60 TTL=64 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
> May  4 09:04:14 voyage3 kernel: [477354.231297] TRACE:
> mangle:FORWARD:rule:1 IN=vlan1 OUT=wlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=31 TOS=0x00 PRE
> C=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
> May  4 09:04:14 voyage3 kernel: [477354.231315] TRACE:
> mangle:FORWARD:policy:2 IN=vlan1 OUT=wlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=31 TOS=0x00 P
> REC=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
> May  4 09:04:14 voyage3 kernel: [477354.231332] TRACE:
> filter:FORWARD:rule:1 IN=vlan1 OUT=wlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=31 TOS=0x00 PRE
> C=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
> May  4 09:04:14 voyage3 kernel: [477354.231353] TRACE:
> filter:clean_frwd:rule:2 IN=vlan1 OUT=wlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=31 TOS=0x00
> PREC=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
> May  4 09:04:14 voyage3 kernel: [477354.231368] TRACE:
> mangle:POSTROUTING:policy:1 IN= OUT=wlan1 SRC=10.1.0.3
> DST=192.168.1.35 LEN=31 TOS=0x00 PREC=0x60 TTL=63 ID=37212 PROTO=UDP
> SPT=5060 DPT
> =5060 LEN=11
> May  4 09:04:24 voyage3 dhclient[1664]: message repeated 3 times: [
> DHCPREQUEST of 192.168.1.40 on wlan1 to 192.168.1.35 port 67
> (xid=0x5104a2ea)]
> May  4 09:04:34 voyage3 dhclient[1664]: DHCPREQUEST of 192.168.1.40 on
> wlan1 to 255.255.255.255 port 67 (xid=0x5104a2ea)
> May  4 09:04:39 voyage3 avahi-daemon[980]: Withdrawing address record
> for 192.168.1.40 on wlan1.
> May  4 09:04:39 voyage3 avahi-daemon[980]: Leaving mDNS multicast
> group on interface wlan1.IPv4 with address 192.168.1.40.
> May  4 09:04:39 voyage3 avahi-daemon[980]: Interface wlan1.IPv4 no
> longer relevant for mDNS.
> May  4 09:04:39 voyage3 dhclient[1664]: DHCPDISCOVER on wlan1 to
> 255.255.255.255 port 67 interval 3 (xid=0xd862dc03)
> May  4 09:04:39 voyage3 kernel: [477379.054124] TRACE:
> raw:PREROUTING:rule:13 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:39 voyage3 kernel: [477379.054148] TRACE:
> raw:PREROUTING:policy:14 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:39 voyage3 kernel: [477379.054169] TRACE:
> mangle:PREROUTING:policy:1 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:39 voyage3 kernel: [477379.054184] TRACE:
> nat:PREROUTING:rule:1 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:39 voyage3 kernel: [477379.054224] TRACE:
> mangle:FORWARD:rule:1 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:39 voyage3 kernel: [477379.054236] TRACE:
> mangle:FORWARD:policy:2 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:39 voyage3 kernel: [477379.054248] TRACE:
> filter:FORWARD:rule:1 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:39 voyage3 kernel: [477379.054262] TRACE:
> filter:clean_frwd:rule:1 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:39 voyage3 kernel: [477379.054276] TRACE:
> filter:dynamic:return:1 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:39 voyage3 kernel: [477379.054288] TRACE:
> filter:clean_frwd:rule:4 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:39 voyage3 kernel: [477379.054297] TRACE:
> mangle:POSTROUTING:policy:1 IN= OUT=vlan1 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:39 voyage3 kernel: [477379.054306] TRACE:
> nat:POSTROUTING:policy:3 IN= OUT=vlan1 SRC=10.1.0.3 DST=192.168.1.35
> LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP SPT=5060 DPT=5060
> LEN=525
> May  4 09:04:40 voyage3 kernel: [477380.054284] TRACE:
> raw:PREROUTING:rule:13 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37214 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:40 voyage3 kernel: [477380.054308] TRACE:
> raw:PREROUTING:policy:14 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37214 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:40 voyage3 kernel: [477380.054326] TRACE:
> mangle:PREROUTING:policy:1 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37214 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:40 voyage3 kernel: [477380.054360] TRACE:
> mangle:FORWARD:rule:1 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:40 voyage3 kernel: [477380.054373] TRACE:
> mangle:FORWARD:policy:2 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:40 voyage3 kernel: [477380.054386] TRACE:
> filter:FORWARD:rule:1 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:40 voyage3 kernel: [477380.054400] TRACE:
> filter:clean_frwd:rule:1 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:40 voyage3 kernel: [477380.054414] TRACE:
> filter:dynamic:return:1 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:40 voyage3 kernel: [477380.054427] TRACE:
> filter:clean_frwd:rule:4 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:40 voyage3 kernel: [477380.054437] TRACE:
> mangle:POSTROUTING:policy:1 IN= OUT=vlan1 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:41 voyage3 ntpd[2704]: Deleting interface #80 wlan1,
> 192.168.1.40#123, interface stats: received=0, sent=15, dropped=0,
> active_time=992 secs
> May  4 09:04:41 voyage3 kernel: [477381.053708] TRACE:
> raw:PREROUTING:rule:13 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37215 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:41 voyage3 kernel: [477381.053731] TRACE:
> raw:PREROUTING:policy:14 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37215 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:41 voyage3 kernel: [477381.053750] TRACE:
> mangle:PREROUTING:policy:1 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37215 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:41 voyage3 kernel: [477381.053783] TRACE:
> mangle:FORWARD:rule:1 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:41 voyage3 kernel: [477381.053795] TRACE:
> mangle:FORWARD:policy:2 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:41 voyage3 kernel: [477381.053807] TRACE:
> filter:FORWARD:rule:1 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:41 voyage3 kernel: [477381.053821] TRACE:
> filter:clean_frwd:rule:1 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:41 voyage3 kernel: [477381.053835] TRACE:
> filter:dynamic:return:1 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:41 voyage3 kernel: [477381.053847] TRACE:
> filter:clean_frwd:rule:4 IN=vlan1 OUT=vlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:41 voyage3 kernel: [477381.053856] TRACE:
> mangle:POSTROUTING:policy:1 IN= OUT=vlan1 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:42 voyage3 dhclient[1664]: DHCPDISCOVER on wlan1 to
> 255.255.255.255 port 67 interval 8 (xid=0xd862dc03)
> ...
> similar
> ...
> May  4 09:04:50 voyage3 dhclient[1664]: DHCPDISCOVER on wlan1 to
> 255.255.255.255 port 67 interval 9 (xid=0xd862dc03)
> May  4 09:04:50 voyage3 dhclient[1664]: DHCPREQUEST of 192.168.1.40 on
> wlan1 to 255.255.255.255 port 67 (xid=0x3dc62d8)
> May  4 09:04:50 voyage3 dhclient[1664]: DHCPOFFER of 192.168.1.40 from
> 192.168.1.35
> May  4 09:04:50 voyage3 dhclient[1664]: DHCPACK of 192.168.1.40 from
> 192.168.1.35
> May  4 09:04:50 voyage3 systemd[1]: Reloading LSB: start Samba
> SMB/CIFS daemon (smbd).
> May  4 09:04:50 voyage3 smbd[4693]:  * Reloading /etc/samba/smb.conf smbd
> May  4 09:04:50 voyage3 smbd[4693]:    ...done.
> May  4 09:04:50 voyage3 systemd[1]: Reloaded LSB: start Samba SMB/CIFS
> daemon (smbd).
> May  4 09:04:50 voyage3 avahi-daemon[980]: Joining mDNS multicast
> group on interface wlan1.IPv4 with address 192.168.1.40.
> May  4 09:04:50 voyage3 avahi-daemon[980]: New relevant interface
> wlan1.IPv4 for mDNS.
> May  4 09:04:50 voyage3 avahi-daemon[980]: Registering new address
> record for 192.168.1.40 on wlan1.IPv4.
> May  4 09:04:50 voyage3 dhclient[1664]: bound to 192.168.1.40 --
> renewal in 30 seconds.
> May  4 09:04:52 voyage3 ntpd[2704]: Listen normally on 81 wlan1
> 192.168.1.40:123 <http://192.168.1.40:123>
> May  4 09:04:52 voyage3 ntpd[2704]: new interface(s) found: waking up
> resolver
> May  4 09:04:53 voyage3 kernel: [477393.055430] TRACE:
> raw:PREROUTING:rule:13 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37218 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:53 voyage3 kernel: [477393.055460] TRACE:
> raw:PREROUTING:policy:14 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37218 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:53 voyage3 kernel: [477393.055484] TRACE:
> mangle:PREROUTING:policy:1 IN=vlan1 OUT=
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37218 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:53 voyage3 kernel: [477393.055509] TRACE:
> mangle:FORWARD:rule:1 IN=vlan1 OUT=wlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:53 voyage3 kernel: [477393.055527] TRACE:
> mangle:FORWARD:policy:2 IN=vlan1 OUT=wlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:53 voyage3 kernel: [477393.055544] TRACE:
> filter:FORWARD:rule:1 IN=vlan1 OUT=wlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:53 voyage3 kernel: [477393.055566] TRACE:
> filter:clean_frwd:rule:1 IN=vlan1 OUT=wlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:53 voyage3 kernel: [477393.055587] TRACE:
> filter:dynamic:return:1 IN=vlan1 OUT=wlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:53 voyage3 kernel: [477393.055608] TRACE:
> filter:clean_frwd:rule:5 IN=vlan1 OUT=wlan1
> MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
> May  4 09:04:53 voyage3 kernel: [477393.055622] TRACE:
> mangle:POSTROUTING:policy:1 IN= OUT=wlan1 SRC=10.1.0.3
> DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP
> SPT=5060 DPT=5060 LEN=525
>
> So, what it looks like to me, is that the communications device fails
> to respond to DHCP; avahi-daemon (which isn't relevant on this box) is
> taking the interface down; the interface recovers, but
> iptables/shorewall do not, unless and until I do a conntrack -F.
>
> On spec, I have done: systemctl disable/stop
> avahi-daemon.service/.socket. I will be very interested in your
> assessment.
>
> Best regards, Norm
>
Norm,


I believe that dhclient is taking the interface down. Once the interface
is down, the route to 192.168.1.0/24 out of wlan1 is no longer
available. I don't believe you have said which interface has the default
route, but if it isn't wlan1 then when a new connection comes in, no
SNAT/MASQUERADE will occur. When  the interface comes back up, the
conntrack entry created while the interface was down continues to be used.

What is the output of 'shorewall show routing'?

-Tom

-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't 
http://shorewall.org \   understand
                      \_______________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Difficult NAT problem

Reply via email to