Tcpdump before iptables?
Denis Ducamp
Denis.Ducamp@hsc.fr
Thu, 26 Jul 2001 09:22:35 +0200
On Thu, Jul 26, 2001 at 08:57:45AM +0200, Juri Haberland wrote:
> What do you mean?
> If you listen with tcpdump on an interface you see what's on the wire.
> What ever the iptables rules do with that traffic is irrelevant.
Nope, tcpdump receaves packets _after_ prerouting, so when you listen on the
Internet interface of a masquerading gateway, you see packets with their
internal adress :
# tcpdump -ln -vvv -i any icmp
tcpdump: listening on any
09:06:17.541018 192.168.1.33 > 192.70.106.166: icmp: echo request (DF) (ttl 64, id 0, len 84)
09:06:17.542065 195.132.145.201 > 192.70.106.166: icmp: echo request (DF) (ttl 63, id 0, len 84)
09:06:18.076597 192.70.106.166 > 192.168.1.33: icmp: echo reply (ttl 243, id 12005, len 84)
09:06:18.077173 192.70.106.166 > 192.168.1.33: icmp: echo reply (ttl 242, id 12005, len 84)
To be clear, eth0 == internet, eth1 == internal :
# tcpdump -ln -vvv -i eth0 icmp
tcpdump: listening on eth0
09:08:58.545526 195.132.145.201 > 192.70.106.166: icmp: echo request (DF) (ttl 63, id 0, len 84)
09:08:58.590867 192.70.106.166 > 192.168.1.33: icmp: echo reply (ttl 243, id 12037, len 84)
# tcpdump -ln -vvv -i eth1 icmp
tcpdump: listening on eth1
09:08:58.544443 192.168.1.33 > 192.70.106.166: icmp: echo request (DF) (ttl 64, id 0, len 84)
09:08:58.591354 192.70.106.166 > 192.168.1.33: icmp: echo reply (ttl 242, id 12037, len 84)
In the same way, define a DNAT rule :
/usr/local/bin/iptables -t nat -A PREROUTING -i $IFACE -p tcp -s 0.0.0.0/0 --dport 443 --syn -j DNAT --to 192.168.1.98:8443
and listen on the firewall :
# tcpdump -ln -vvv -i eth0 not port 22 and host 192.70.106.166
tcpdump: listening on eth0
09:20:11.138011 192.70.106.166.2138 > 192.168.1.98.8443: S 2243699144:2243699144(0) win 16060 <mss 1460,sackOK,timestamp 109779214[|tcp]> (DF) [tos 0x10] (ttl 52, id 12982, len 60)
09:20:14.130908 192.70.106.166.2138 > 192.168.1.98.8443: S 2243699144:2243699144(0) win 16060 <mss 1460,sackOK,timestamp 109779514[|tcp]> (DF) [tos 0x10] (ttl 52, id 12986, len 60)
09:20:14.133276 195.132.145.201 > 192.70.106.166: icmp: host 195.132.145.201 unreachable for 192.70.106.166.2138 > 195.132.145.201.443: [|tcp] (DF) [tos 0x10] (ttl 51, id 12986, len 60) (DF) [tos 0xd0] (ttl 255, id 0, len 108)
09:20:14.133986 195.132.145.201 > 192.70.106.166: icmp: host 195.132.145.201 unreachable for 192.70.106.166.2138 > 195.132.145.201.443: [|tcp] (DF) [tos 0x10] (ttl 51, id 12982, len 60) (DF) [tos 0xd0] (ttl 255, id 0, len 108)
while on the source system you could listen :
# tcpdump -ln -vvv -i eth0 not port 22 and host 195.132.145.201
tcpdump: listening on eth0
09:20:11.124797 192.70.106.166.2138 > 195.132.145.201.443: S 2243699144:2243699144(0) win 16060 <mss 1460,sackOK,timestamp 109779214[|tcp]> (DF) [tos 0x10] (ttl 64, id 12982)
09:20:14.120407 192.70.106.166.2138 > 195.132.145.201.443: S 2243699144:2243699144(0) win 16060 <mss 1460,sackOK,timestamp 109779514[|tcp]> (DF) [tos 0x10] (ttl 64, id 12986)
09:20:14.250404 195.132.145.201 > 192.70.106.166: icmp: host 195.132.145.201 unreachable (DF) [tos 0xd0] (ttl 242, id 0)
09:20:14.254215 195.132.145.201 > 192.70.106.166: icmp: host 195.132.145.201 unreachable (DF) [tos 0xd0] (ttl 242, id 0)
(the 192.168.1.98 system is off ;-)
For me this is a bug.
Reported it regularly but never heard any official response.
Denis Ducamp.