[Bug 554] New: Packet illegaly bypassing SNAT

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Wed Mar 14 20:02:20 CET 2007 

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=554

           Summary: Packet illegaly bypassing SNAT
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: NAT
        AssignedTo: laforge at netfilter.org
        ReportedBy: renean at gmx.de


I have a router. To the outside world i have to do NAT. All packats going over
the external interface are being SNATed by the one and only rule in the
POSTROUTING-chain (see below).

What happens is that some packages from my internal net somehow bypass that NAT
and go out with their internal addresses (${SOURCE}). My ISP informed me about
that.

It seems that applications spawning many connections trigger that problem. I
observed it by using bittorrent with many open connections. But it also occured
once during normal usage of a browser.


My ISP told me that this problem is not new to him, that some people also using
linux-based routers, all with SNAT have it too.

Affected kernels:       2.6.9   (tested)
                        2,6.12  (tested)
                        2.6.14  (tested)
                        2.6.15  (tested)
                        2.6.18  (tested)
                        2.6.19  (heard)
                        2.6.20  (tested)
                not enlisted kernels (in between)  were not tested or heard of,
                but it is strongly assumed they are affected too.

Not affected:           2.4.34  (tested)
                        2.6.8   (tested)

So it seems that this problem was introduced in 2.6.9.

I further tested appending a DROP-rule after the SNAT in the POSTROUTING-chain
but that didn't solve the problem either. The wrong packets can be monitored by
using tcpdump (see reproduction).


Reproduction:

>From my internal computer (${SOURCE}) I scanned an external computer
${VICTIM} (willingly), command is:

                nmap -sX ${VICTIM}

On my router I had the command:

                tcpdump -v -i ${EXTERNAL_INTERFACE} src net ${SOURCENET}

Rules in use:

iptables -t nat -F
iptables -t forward -F
iptables -t nat -A POSTROUTING -o ${EXTERNAL_INTERFACE} -j SNAT --to-source
${EXTERNAL_IP}

Forwarding was enabled _after_ installing the iptablesrules.

I think that an unusal combination of flags causes that problem and since
"nmap -sX" is all flags on, it is unusual enough to trigger the problem. But as
said above, it also happens during normal usage.


Instead of the SNAT-rule I also tried:

        iptables -t nat -A POSTROUTING -o ${EXTERNAL_INTERFACE} -j DROP

and no packet got through, from that i conclude that the packets go through the
POSTROUTING-chain, thus SNAT must somehow be broken (as an DROP after SNAT did
not drop any packages, see above).

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list