| |
| |
| |
|
Comments:
<0> gug
<1> gal kas zinot koki citrusini gaivinanti lengva alkoholini kokteili?
<2> -ELANGUAGE
<3> Gandalf_: it may be a answer to Octavian's gug
<3> ;-)
<2> heh yes but I still don't understand it :)
<1> heh
<1> sorry ;-)
<1> I asked if somebody knew some weak citrus fresh alcoholic coctail
<1> freshening*
<2> I did get parts of it, I ***umed it was something like that :)
<1> wee
<1> ;]
<1> you grep lithuanian!
<2> not really but some words aren't that diffrent, with some thought one could form ideas as to what they mean :)
<4> what would make a packet to exist in mangle prerouting and not exist in nat prerouting?
<4> mangle does nothing but log the packet...
<2> the packet is part of an established connection?
<2> only packets with state NEW go through the nat table
<4> it's a SYN/ACK
<2> that doesn't go through the nat table
<4> which is part of new?
<4> oh really?
<2> the SYN goes through the nat table
<4> in that case, what would cause snat to... fail?
<4> i have a packet coming from 10.0.0.5. in the mangle prerouting chain, i mark it. i then have a rule in my kernel that routes it properly. it then goes through SNAT, where i rewrite it's source to 195.16.86.213. it leaves the box correctly.
<4> i then get the SYN/ACK in response on the proper (195.16.86.213) destination address.
<4> but it never gets sent back to 10.0.0.5
<2> do you have rp_filter enabled?
<4> i don't know what that is. so i'll ***ume no?
<4> err, enabled by default, is it?
<2> not enabled by default by the kernel, but iirc a few distributions enable it by default
<2> cat /proc/sys/net/ipv4/conf/*/rp_filter
<2> 1 means enabled
<2> rp_filter means reverse path filtering, a kind of packetfilter based on the routingtable (the main routingtable, not the other ones)
<4> # cat /proc/sys/net/ipv4/conf/all/rp_filter
<4> 1
<2> disable it on the interface where the SYN/ACK packet is received and it should work
<4> whoa. score.
<4> thanks. what exactly does rp_filter do?
<4> some kind of spoof protection?
<4> shouldn't the fact that i'm NATting it avoid the spoof filter?
<2> yes
<2> no
<2> it's not the NAT that is the problem, it's the multiple routingtables that's the problem
<2> incoming packets are verified against the _main_ routingtable, not the one that you used to send out the packet
<2> NATis only a small part of the whole situation
<4> oh!
<4> of course, of course...
<2> what rp_filter does is that for each incoming packet it takes the source and destination addresses of the packet and "creates" an inverted packet (with source and destination switched) and then a route lookup is performed
<4> i see. and mine was confused because the flipped packet was not what the actual rule matched.
<4> correct?
<2> yes
<2> diffrent outgoing interface
<2> diffrent from the interface where the packet came in
<2> thus, it could be spoofed
<4> right. but what halfway decent ISP doesn't do spoof filtering these days?
<4> Gandalf_: diffrent from the interface where the packet came in
<4> (in quotes)
<4> is it different because of where it came in, or because where it would normally be routed BASED ON where it came in?
<4> anyway. thanks for your help. when i hit return, i believe i should be disconnected from irc.
Return to
#netfilter
or
Go to some related
logs:
#gentoo
mysqldb use_result fetch_row array
cannot mount ext3 with umask=000
#css
#css
#fedora
#bash
XStation Sounds
exim4-config is broken or not fully installed
bash: : Permission denied gentoo conky
|
|