2.0.33: IP MASQ subtly BROKEN

linux kernel account (linker@nightshade.z.ml.org)
Thu, 1 Jan 1998 23:05:06 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Richard Gooch: "Re: PROPOSAL: /proc/dev"
Previous message: Philip Blundell: "Re: two CDU-535 inspired patches to 2.1.76"

Okay, heres the deal:

[internet] - [isp] - [portmaster] ---- [2.0.33 masq box] - [linux computers]

If I open a ssh from a [linux computer] to some place on the internet
the tcp dump should look like:

(simulated tcp dump to protect innocent)
(ssh connection supposidly from limelight (on inside) to nightshade on internet)

----------------------------IT SHOULD BE LIKE THIS-------------------------
[masq box]# tcpdump -i eth0
23:56:55.234550 limelight.1023 > nightshade.ssh: P 6320:6340(20) ack 6361 win
65280 (DF) [tos 0x10]
23:56:55.364550 nightshade.ssh > limelight.1023: . ack 6321 win 32736 (DF)
[tos 0x10]

[masq box]# tcpdump -i ppp0
23:56:55.234550 nullc.61113 > nightshade.ssh: P 6320:6340(20) ack 6361 win
65280 (DF) [tos 0x10]
23:56:55.364550 nightshade.ssh > nullc.61113: . ack 6321 win 32736 (DF)
[tos 0x10]
---------------------------------------------------------------------------

Unfortantly it isn't..
The eth0 dump is right.. Here is the ppp0 dump:

[masq box]# tcpdump -i ppp0
23:56:55.234550 nullc.61113 > nightshade.ssh: P 6320:6340(20) ack 6361 win
65280 (DF) [tos 0x10]
23:56:55.364550 nightshade.ssh > limelight.1023: . ack 6321 win 32736 (DF)
[tos 0x10]

Notice the destnation address of the second packet.
Now, if this were ACTUALLY the case, masq would not work at all!
This is claiming that limelight's address is mentioned on the outside!!!!!

A tcpdump at the ISP reviels that the dump actually is:

---------------------------------------------------------
[isp]# tcpdump -i eth0
23:56:55.234550 nullc.61113 > nightshade.ssh: P 6320:6340(20) ack 6361 win
65280 (DF) [tos 0x10]
23:56:55.364550 nightshade.ssh > nullc.61113: . ack 6321 win 32736 (DF)
[tos 0x10]
---------------------------------------------------------

So whats happening: A subtle bug in IP masquarding is causing the incoming
packets to be 'demasquarded' on the ppp interface before it crosses the
firewall, thus causing the tcpdump to lie.

Now, this is obviously a bug.. But I have only found one consiquence, and
that is that diald's automatic shutdown of closed connections does not
work through IP masq anymore because of this. I'm sure this could break
other network monitoring tools, and it is 'just not right'.

I'd fix it myself.. But there have been so many ipmasq changes I dont know
where to start...... I'm at my whits end here with this one..

Anyways, I have pinpointed the problem.. I leave it to the gurus to fix
it.. Thanks.

Next message: Richard Gooch: "Re: PROPOSAL: /proc/dev"
Previous message: Philip Blundell: "Re: two CDU-535 inspired patches to 2.1.76"