Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Redirecting ports with netfilter: unexpected varying results
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Rexilion
Veteran
Veteran


Joined: 17 Mar 2009
Posts: 1044

PostPosted: Tue Oct 18, 2011 6:01 pm    Post subject: Redirecting ports with netfilter: unexpected varying results Reply with quote

Simplified explanation in post #2 with new observations

Hey all,

Lately I have been experimenting with the wonderful IPSEC stack. After a lot of struggling (and passing the various implementations racoon->openswan->strongswan). I managed to get everything working. However, I noticed someting odd whenever I try to redirect the packets. What I try to do is make the packets use another IKE port (instead of the default 500/udp). The relevant firewall configuration is stated below.

The problem in a nutshell (enable port redirection):
- Local connection: Whenever my laptop is inside the same local network as my server (in other words: I'm at home), this succeeds.
- Remote connection: Whenever I try to connect using the internet modem of my phone (mobile internet), this succeeds.
- Remote connection: Whenever my laptop is at school connecting fails. (!)

Whenever I disable port redirection, all three setups succeed. (!)

Conclusion: port redirection makes connecting from school fail. Why?

One thing that is inherently different between the mobile internet connection and the connection from school is that whenever I use the mobile internet, my connection is NAT-ed through a gateway. Hence the local IP of the laptop is different from the source IP the server receives when I use mobile internet. But when I'm at school, this is not the case. The local IP the laptop receives is the one that is 'used' to access the world wide web. So that connection is not NAT-ed, but just forwarded through a gateway.
The above might seem like a possible clue, but I don't see how or why the difference in network architecture could affect this. One would expect that port redirecting fails whenever something else is NAT-ing it as well (so, mobile broadband fails and school succeeds). But the opposite is actually the case.

I have no idea how to proceed. I have no single clue as of why connecting from school fails and why connecting from mobile internet succeeds. Please note, that the entire setup (especially netfilter, ipsec.conf, kernel configuration) on both of my machines is the same in all three situations.

So, I suppose is not an issue with my ipsec.conf or my kernel configuration. If anyone wants these files, please ask and I shall post them.

I will describe my setup now:

Both client and server are running:
- Linux 3.0
- Strongswan 4.5.3
- - tunnel mode
- - ikev2
- - nat traversal (4500/udp) is always used

Server:
Firewall: iptables -A PREROUTING -p udp -m udp --dport 56301 -m addrtype --dst-type LOCAL -j REDIRECT --to-port 500

Client:
Firewall: iptables -A OUTPUT -p udp -m udp --dport 500 -j DNAT --to-destination :56301 --persistent

Packet dump from attempted connection from school:

Server:
Quote:
17:05:44.794566 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 29) 10.1.9.253.56301 > 130.37.154.14.isakmp: [udp sum ok] [|isakmp]
17:05:44.817648 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 788) 130.37.154.14.isakmp > 10.1.9.253.56301: [|isakmp]
17:05:44.819641 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 493) 10.1.9.253.56301 > 130.37.154.14.isakmp: [|isakmp]
17:05:46.925299 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 788) 130.37.154.14.isakmp > 10.1.9.253.56301: [|isakmp]
17:05:46.926450 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 493) 10.1.9.253.56301 > 130.37.154.14.isakmp: [|isakmp]


This pattern continous indefinitly as the server responds but never receives a reply.

Client (replaced my external ip):
Quote:
17:05:48.523138 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 788) 130.37.154.14.isakmp > 144-144-144-144.ip.telfort.nl.56301: [|isakmp]
17:05:50.523711 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 788) 130.37.154.14.isakmp > 144-144-144-144.ip.telfort.nl.56301: [|isakmp]
17:05:52.524039 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 788) 130.37.154.14.isakmp > 144-144-144-144.ip.telfort.nl.56301: [|isakmp]
17:05:54.524365 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 788) 130.37.154.14.isakmp > 144-144-144-144.ip.telfort.nl.56301: [|isakmp]
17:05:56.560383 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 788) 130.37.154.14.isakmp > 144-144-144-144.ip.telfort.nl.56301


This pattern continous indefinitly as the client tries to reconnect but never receives an answer.

I have the complete raw packet dump if anyone would like to see them.

=Rexilion=


Last edited by Rexilion on Thu Oct 20, 2011 5:30 pm; edited 1 time in total
Back to top
View user's profile Send private message
Rexilion
Veteran
Veteran


Joined: 17 Mar 2009
Posts: 1044

PostPosted: Thu Oct 20, 2011 5:28 pm    Post subject: Reply with quote

*Polite bump*

I did some more testing today. I figured out that whenever I use a LAN-cable at school, the laptop is behind a gateway that does NAT (in contrast to connecting wireless to the network). Whenever I try connecting to home with port redirection, it works. So that makes stuff a lot simpler:

The layout:

Strongswan Server --- Home Gateway --- --- --- The Internet --- --- --- University Gateway --- Strongswan Cliënt

- If the University Gateway does NAT on the connection: Success
- If the University Gateway does not NAT (just forward) on the connection: Fail

I also tried to use DNAT instead of REDIRECT at the server, but this does not change the situation.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum