little problem with nat , resending packets to wrong destination.

From: bladi (
Date: Tue May 07 2002 - 02:41:37 EST

Hi the last day a notice a extrange thing with my packetsniffer one host
recive a packet that i request from the linux "router"


-----ppp0 modem-- [Linux router]eth0------[Honneypot]---


i have 2 rules in iptables

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -t nat -A PREROUTING --in-interface ppp0 --protocol tcp
--destination-port ! ssh --jump DNAT --to-destination

I usaly use the linux router to work and the honneypot to fun & profit.

i always exeute tcpdump -i eth0 -s 9000 -w LOGFILE on the router

The last day when im making a revision of the log , i discover that in
the log i could raead a "response" of an http request that i do from
router linux ( i make a the request to external site over ppp

unfornatly i only have the snoop of the ppp0 interface. = external server

1) i make http request to server
2) i read the web contents correctly
3) aparently the kernel forward the response to (honeypot)

#tcpdump -r JAULA6 -n 'tcp port 80 && host'

03:28:03.303637 > .
3888813151:3888814599(1448) ack 2877177511 win 6710 <nop,nop,timestamp
110497018 7927497> (DF)
03:28:03.304382 > R
2877177511:2877177511(0) win 0

#tcpdump -r JAULA6 -n 'tcp port 3000 && host'

03:17:04.803886 > P
3209289308:3209289324(16) ack 2224478666 win 6720 <nop,nop,timestamp
110431569 7862787> (DF)
03:17:04.804585 > R
2224478666:2224478666(0) win 0

In the 2 case the honneypot respond with rst because he dont start the

This happend rarely only 2 times in 1 day :|


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Tue May 07 2002 - 22:00:28 EST