Connections not obeying conntrack

Question

I have a tunnel set up on interface vti68. I am NATing both the source and destination.

The host has 10.1.30.51 as local, and 172.16.0.80 as remote.
Traffic in the tunnel is translated such that 10.45.89.4 is local and 192.168.7.5 is remote.

ip rule add fwmark 0x44 lookup table68
ip route add table table68 default dev vti68

sysctl -w net.ipv4.conf.vti68.rp_filter=0

# use table68 for routing
iptables -t mangle -A OUTPUT -d 172.16.0.56 -j MARK --set-mark 0x44

# NAT
iptables -t raw -A OUTPUT -d 172.16.0.56 -j CT --zone 68
iptables -t nat -A OUTPUT -d 172.16.0.56 -j DNAT --to 192.168.7.5
iptables -t raw -A PREROUTING -i vti68 -d 10.45.89.4 -j CT --zone 68
iptables -t nat -A POSTROUTING -o vti68 -s 10.1.30.51 -j SNAT --to 10.45.89.4

# not necessary for example, but the reverse translation, for completeness
iptables -t nat -A INPUT -i vti68 -s 192.168.7.5 -j SNAT --to 172.16.0.56
iptables -t nat -A PREROUTING -i vti68 -d 10.45.89.4 -j DNAT --to 10.1.30.51\

# debug
iptables -t mangle -A OUTPUT -p icmp -j LOG  --log-level=1
iptables -A INPUT -p icmp -j LOG --log-level=1

Pinging the remote server hangs

ping -c1 172.16.0.56

But using iptables log, I see the packet returning. (Oddly, the SRC of the reply have not been reversed translated by conntrack, but as far as I can tell that is normal).

kernel: IN= OUT=vti68 SRC=10.1.30.51 DST=172.16.0.56 LEN=84 TOS=0x00 PREC=0x00 TTL=255 ID=13082 DF PROTO=ICMP TYPE=8 CODE=0 ID=26071 SEQ=1 
kernel: IN=vti68 OUT= MAC= SRC=192.168.7.5 DST=10.1.30.51 LEN=84 TOS=0x00 PREC=0x00 TTL=126 ID=26747 PROTO=ICMP TYPE=0 CODE=0 ID=26071 SEQ=1

and tcpdump shows the repy

IP (tos 0x0, ttl 126, id 26794, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.7.5 > 10.45.89.4: ICMP echo reply, id 26071, seq 1, length 64

And conntrack -E shows the reply

    [NEW] icmp     1 30 src=10.1.30.51 dst=172.16.0.56 type=8 code=0 id=26071 [UNREPLIED] src=192.168.7.5 dst=10.45.89.4 type=0 code=0 id=26071 zone=68
 [UPDATE] icmp     1 29 src=10.1.30.51 dst=172.16.0.56 type=8 code=0 id=26071 src=192.168.7.5 dst=10.45.89.4 type=0 code=0 id=26071 zone=68

TCP connections are similar:

    [NEW] tcp      6 120 SYN_SENT src=10.1.30.51 dst=172.16.0.56 sport=54336 dport=3389 [UNREPLIED] src=192.168.7.5 dst=10.45.89.4 sport=3389 dport=54336 zone=68
 [UPDATE] tcp      6 60 SYN_RECV src=10.1.30.51 dst=172.16.0.56 sport=54336 dport=3389 src=192.168.7.5 dst=10.45.89.4 sport=3389 dport=54336 zone=68
 [UPDATE] tcp      6 60 SYN_RECV src=10.1.30.51 dst=172.16.0.56 sport=54336 dport=3389 src=192.168.7.5 dst=10.45.89.4 sport=3389 dport=54336 zone=68
 [UPDATE] tcp      6 60 SYN_RECV src=10.1.30.51 dst=172.16.0.56 sport=54336 dport=3389 src=192.168.7.5 dst=10.45.89.4 sport=3389 dport=54336 zone=68

More strangely, I have done all these steps for a different interface and addresses and remote host, and everything appears identical, except that ICMP relies and TCP connections actually complete.

Why would the connections show up in conntrack as replying, but the program does not receive it? What more could I look at?

Connections not obeying conntrack

0 Answers0