Ubuntu
linux package

IPTables on powerpc seems to "missing" NAT'ing packets

Bug #1119174 reported by Pieter De Wit
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Expired
Medium
Unassigned

Bug Description

Hi,

Here is my setup:

eth0 ---\
                 SERVER ---> eth1 ---> ppp0 (pppoe)
eth2 ---/

I have stripped the iptables config to the bear requirements for NAT:
(I have also tried this with just one MASQ statement - same result
 Also - Source NAT - same result)

*nat
:PREROUTING ACCEPT [41024:3267406]
:INPUT ACCEPT [36053:2477434]
:OUTPUT ACCEPT [39588:2527196]
:POSTROUTING ACCEPT [39961:2568225]
-A POSTROUTING -s 192.168.4.0/24 -o ppp0 -j MASQUERADE
-A POSTROUTING -s 192.168.5.0/24 -o ppp0 -j MASQUERADE
COMMIT

eth0 = 192.168.4.0/24
eth2 = 192.168.5.0/24

If I run "tcpdump -i ppp0 -n net 192.168.0.0/16" I do see packets leaving ppp0, "unNAT'ed":

21:14:55.974633 IP 192.168.5.109.49458 > 17.152.19.51.443: Flags [F.], seq 1404846587, ack 269222910, win 16384, options [nop,nop,sack 1 {4381:5764}], length 0
21:14:56.990586 IP 192.168.5.109.49458 > 17.152.19.51.443: Flags [F.], seq 0, ack 1, win 16384, options [nop,nop,sack 1 {4381:5764}], length 0
21:14:58.713042 IP 192.168.5.109.49458 > 17.152.19.51.443: Flags [F.], seq 0, ack 1, win 16384, options [nop,nop,sack 1 {4381:5764}], length 0
21:15:02.258076 IP 192.168.5.109.49458 > 17.152.19.51.443: Flags [F.], seq 0, ack 1, win 16384, options [nop,nop,sack 1 {4381:5764}], length 0
21:17:13.711341 IP 192.168.5.109.49458 > 17.152.19.51.443: Flags [F.], seq 0, ack 1, win 16384, options [nop,nop,sack 1 {4381:5764}], length 0

I also can't access certain sites using https, like freelancer.com and iTunes from my iphone (eth2 via wireless).

This used to work. In between I have upgraded to linux-image-3.2.0-36-powerpc64-smp 3.2.0-36.57 and linux-image-3.2.0-38-powerpc64-smp 3.2.0-38.59 and both seem to have the issue.

I havn't back tracked the kernels to a working one yet - working on that atm.

See original description
Revision history for this message
Pieter De Wit (pieter-insync) wrote :

I am tagging it as a security issue since this can leak private subnet information

information type: Public → Public Security
tags: added: iptables masq nat security
description: updated
Marc Deslauriers (mdeslaur)
affects: iptables (Ubuntu) → linux (Ubuntu)
information type: Public Security → Public
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1119174

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: precise
Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.