Selectively routing packets through different links

Selectively routing packets through different links

[Diego Lima]

Hello all,

I'm trying to send http packets through a link that is not my default
gateway, using iptables and iproute2 on a Ubuntu 9.10 server (ip
address: 192.168.0.193 on the lan and 192.168.21.1 on the wan). Its
default gateway is the address 192.168.0.7 on my wlan0 interface and
its alternative gateway is 192.168.21.1 on bnep0. Packets from my LAN
arrive on the same wlan0 interface. Here's what I've done:

1 - Edit /etc/iproute2/rt_tables and add this:
10 bluez

2 - Add the route and rule:
# ip route add via 192.168.21.1 dev bnep0 table bluez
# ip rule add fwmark 10 lookup bluez

3 - Add the iptables rules:
iptables -t mangle -I PREROUTING -i wlan0 -s 192.168.0.0/24 -p tcp -m
multiport --dports 80,443,8080 -j MARK --set-mark 10
iptables -t nat -I POSTROUTING ! -o lo -j MASQUERADE

The FORWARD policy is currently set to ACCEPT and
/proc/sys/net/ipv4/ip_forward is set to 1. When I do this I can see
the packets coming from my local network to to the internet get out
and I see them on the router 192.168.21.1. I can also see the replies
on the router and bnep0, but they don't go back to the host on wlan0.

Here is the tcpdump results of a simple wget:

---
On the host 192.168.0.201 (the one trying to fetch a page):

13:04:49.639213 IP 192.168.0.201.37844 > 64.233.163.104.80: Flags [S],
seq 1417172792, win 5840, options [mss 1460,sackOK,TS val 194061171
ecr 0,nop,wscale 6], length 0
13:04:52.635912 IP 192.168.0.201.37844 > 64.233.163.104.80: Flags [S],
seq 1417172792, win 5840, options [mss 1460,sackOK,TS val 194061921
ecr 0,nop,wscale 6], length 0
13:04:58.635909 IP 192.168.0.201.37844 > 64.233.163.104.80: Flags [S],
seq 1417172792, win 5840, options [mss 1460,sackOK,TS val 194063421
ecr 0,nop,wscale 6], length 0


--
On the firewall 192.168.0.193 (the host's default gw and the firewall
where I set the iptables/routing rules):
tcpdump on bnep0:

diego@gilead:/tmp$ sudo tcpdump -ni bnep0 ip proto \\tcp and ! port 22
and host 64.233.163.104
listening on bnep0, link-type EN10MB (Ethernet), capture size 96 bytes
13:07:56.556892 IP 192.168.21.2.43346 > 64.233.163.104.80: Flags [S],
seq 182141507, win 5840, options [mss 1460,sackOK,TS val 194109829 ecr
0,nop,wscale 6], length 0
13:07:58.450327 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
val 3547510252 ecr 194109829,nop,wscale 6], length 0
13:07:58.719166 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
val 3547510586 ecr 194109829,nop,wscale 6], length 0
13:07:59.328302 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
val 3547511190 ecr 194109829,nop,wscale 6], length 0
13:07:59.553165 IP 192.168.21.2.43346 > 64.233.163.104.80: Flags [S],
seq 182141507, win 5840, options [mss 1460,sackOK,TS val 194110579 ecr
0,nop,wscale 6], length 0
13:07:59.658279 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
val 3547511511 ecr 194109829,nop,wscale 6], length 0


tcpdump on wlan0:
diego@gilead:/tmp$ sudo tcpdump -ni wlan0 ip proto \\tcp and ! port 22
and host 64.233.163.104
listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes

13:09:12.992642 IP 192.168.0.201.43347 > 64.233.163.104.80: Flags [S],
seq 1388896619, win 5840, options [mss 1460,sackOK,TS val 194128940
ecr 0,nop,wscale 6], length 0
13:09:15.988847 IP 192.168.0.201.43347 > 64.233.163.104.80: Flags [S],
seq 1388896619, win 5840, options [mss 1460,sackOK,TS val 194129690
ecr 0,nop,wscale 6], length 0
13:09:21.990494 IP 192.168.0.201.43347 > 64.233.163.104.80: Flags [S],
seq 1388896619, win 5840, options [mss 1460,sackOK,TS val 194131190
ecr 0,nop,wscale 6], length 0

--
On the wan router 192.168.21.1:

13:11:47.844163 IP 192.168.21.2.43348 > 64.233.163.104.80: S
3792068799:3792068799(0) win 5840 <mss 1460,sackOK,timestamp
194167380[|tcp]>
13:11:49.613021 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 <mss
1410,sackOK,timestamp 3532709843[|tcp]>
13:11:49.868738 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 <mss
1410,sackOK,timestamp 3532710158[|tcp]>
13:11:50.473167 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 <mss
1410,sackOK,timestamp 3532710762[|tcp]>
13:11:50.833945 IP 192.168.21.2.43348 > 64.233.163.104.80: S
3792068799:3792068799(0) win 5840 <mss 1460,sackOK,timestamp
194168130[|tcp]>
13:11:50.913043 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 <mss
1410,sackOK,timestamp 3532711202[|tcp]>
13:11:51.733704 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 <mss
1410,sackOK,timestamp 3532712022[|tcp]>
13:11:54.149590 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 <mss
1410,sackOK,timestamp 3532714438[|tcp]>

--

As far as I can see the packets arrive at my firewall just fine but it
never routes them back to the host originating the request. Am I
missing something there?

Thanks and sorry for the long email :)

-- 
Diego Lima

Re: Selectively routing packets through different links

[John Lister]

I suspect you need to save the mark in the conntrack table so that it is 
applied to every related packet - I've got a similar configuration 
except I route out of multiple interfaces depending upon load and took a 
while to get working reliably.
Once you set the mark use -j CONNMARK --save-mark and --restore-mark. 
The former after you've used set-mark.
I also use SNAT rather than MASQUERADE in case that makes a difference.

John

Diego Lima wrote:
> Hello all,
>
> I'm trying to send http packets through a link that is not my default
> gateway, using iptables and iproute2 on a Ubuntu 9.10 server (ip
> address: 192.168.0.193 on the lan and 192.168.21.1 on the wan). Its
> default gateway is the address 192.168.0.7 on my wlan0 interface and
> its alternative gateway is 192.168.21.1 on bnep0. Packets from my LAN
> arrive on the same wlan0 interface. Here's what I've done:
>
> 1 - Edit /etc/iproute2/rt_tables and add this:
> 10 bluez
>
> 2 - Add the route and rule:
> # ip route add via 192.168.21.1 dev bnep0 table bluez
> # ip rule add fwmark 10 lookup bluez
>
> 3 - Add the iptables rules:
> iptables -t mangle -I PREROUTING -i wlan0 -s 192.168.0.0/24 -p tcp -m
> multiport --dports 80,443,8080 -j MARK --set-mark 10
> iptables -t nat -I POSTROUTING ! -o lo -j MASQUERADE
>
> The FORWARD policy is currently set to ACCEPT and
> /proc/sys/net/ipv4/ip_forward is set to 1. When I do this I can see
> the packets coming from my local network to to the internet get out
> and I see them on the router 192.168.21.1. I can also see the replies
> on the router and bnep0, but they don't go back to the host on wlan0.
>
> Here is the tcpdump results of a simple wget:
>
> ---
> On the host 192.168.0.201 (the one trying to fetch a page):
>
> 13:04:49.639213 IP 192.168.0.201.37844 > 64.233.163.104.80: Flags [S],
> seq 1417172792, win 5840, options [mss 1460,sackOK,TS val 194061171
> ecr 0,nop,wscale 6], length 0
> 13:04:52.635912 IP 192.168.0.201.37844 > 64.233.163.104.80: Flags [S],
> seq 1417172792, win 5840, options [mss 1460,sackOK,TS val 194061921
> ecr 0,nop,wscale 6], length 0
> 13:04:58.635909 IP 192.168.0.201.37844 > 64.233.163.104.80: Flags [S],
> seq 1417172792, win 5840, options [mss 1460,sackOK,TS val 194063421
> ecr 0,nop,wscale 6], length 0
>
>
> --
> On the firewall 192.168.0.193 (the host's default gw and the firewall
> where I set the iptables/routing rules):
> tcpdump on bnep0:
>
> diego@gilead:/tmp$ sudo tcpdump -ni bnep0 ip proto \\tcp and ! port 22
> and host 64.233.163.104
> listening on bnep0, link-type EN10MB (Ethernet), capture size 96 bytes
> 13:07:56.556892 IP 192.168.21.2.43346 > 64.233.163.104.80: Flags [S],
> seq 182141507, win 5840, options [mss 1460,sackOK,TS val 194109829 ecr
> 0,nop,wscale 6], length 0
> 13:07:58.450327 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
> seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
> val 3547510252 ecr 194109829,nop,wscale 6], length 0
> 13:07:58.719166 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
> seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
> val 3547510586 ecr 194109829,nop,wscale 6], length 0
> 13:07:59.328302 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
> seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
> val 3547511190 ecr 194109829,nop,wscale 6], length 0
> 13:07:59.553165 IP 192.168.21.2.43346 > 64.233.163.104.80: Flags [S],
> seq 182141507, win 5840, options [mss 1460,sackOK,TS val 194110579 ecr
> 0,nop,wscale 6], length 0
> 13:07:59.658279 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
> seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
> val 3547511511 ecr 194109829,nop,wscale 6], length 0
>
>
> tcpdump on wlan0:
> diego@gilead:/tmp$ sudo tcpdump -ni wlan0 ip proto \\tcp and ! port 22
> and host 64.233.163.104
> listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes
>
> 13:09:12.992642 IP 192.168.0.201.43347 > 64.233.163.104.80: Flags [S],
> seq 1388896619, win 5840, options [mss 1460,sackOK,TS val 194128940
> ecr 0,nop,wscale 6], length 0
> 13:09:15.988847 IP 192.168.0.201.43347 > 64.233.163.104.80: Flags [S],
> seq 1388896619, win 5840, options [mss 1460,sackOK,TS val 194129690
> ecr 0,nop,wscale 6], length 0
> 13:09:21.990494 IP 192.168.0.201.43347 > 64.233.163.104.80: Flags [S],
> seq 1388896619, win 5840, options [mss 1460,sackOK,TS val 194131190
> ecr 0,nop,wscale 6], length 0
>
> --
> On the wan router 192.168.21.1:
>
> 13:11:47.844163 IP 192.168.21.2.43348 > 64.233.163.104.80: S
> 3792068799:3792068799(0) win 5840 <mss 1460,sackOK,timestamp
> 194167380[|tcp]>
> 13:11:49.613021 IP 64.233.163.104.80 > 192.168.21.2.43348: S
> 2877038224:2877038224(0) ack 3792068800 win 5672 <mss
> 1410,sackOK,timestamp 3532709843[|tcp]>
> 13:11:49.868738 IP 64.233.163.104.80 > 192.168.21.2.43348: S
> 2877038224:2877038224(0) ack 3792068800 win 5672 <mss
> 1410,sackOK,timestamp 3532710158[|tcp]>
> 13:11:50.473167 IP 64.233.163.104.80 > 192.168.21.2.43348: S
> 2877038224:2877038224(0) ack 3792068800 win 5672 <mss
> 1410,sackOK,timestamp 3532710762[|tcp]>
> 13:11:50.833945 IP 192.168.21.2.43348 > 64.233.163.104.80: S
> 3792068799:3792068799(0) win 5840 <mss 1460,sackOK,timestamp
> 194168130[|tcp]>
> 13:11:50.913043 IP 64.233.163.104.80 > 192.168.21.2.43348: S
> 2877038224:2877038224(0) ack 3792068800 win 5672 <mss
> 1410,sackOK,timestamp 3532711202[|tcp]>
> 13:11:51.733704 IP 64.233.163.104.80 > 192.168.21.2.43348: S
> 2877038224:2877038224(0) ack 3792068800 win 5672 <mss
> 1410,sackOK,timestamp 3532712022[|tcp]>
> 13:11:54.149590 IP 64.233.163.104.80 > 192.168.21.2.43348: S
> 2877038224:2877038224(0) ack 3792068800 win 5672 <mss
> 1410,sackOK,timestamp 3532714438[|tcp]>
>
> --
>
> As far as I can see the packets arrive at my firewall just fine but it
> never routes them back to the host originating the request. Am I
> missing something there?
>
> Thanks and sorry for the long email :)
>
>   

Re: Selectively routing packets through different links

[David Favro]

John Lister wrote:
> I suspect you need to save the mark in the conntrack table so that it 
> is applied to every related packet - I've got a similar configuration 
> except I route out of multiple interfaces depending upon load and took 
> a while to get working reliably.
You shouldn't need to use CONNMARK because all of the outbound packets 
will have the same destination port and thus get marked by MARK, and the 
inbound packets don't typically need to get marked for a special routing 
table; however it might be a good idea to use CONNMARK anyhow, it may 
help with reverse-path filtering -- but alternatively, I would recommend 
turning RPF off anyhow:
echo "2" > /proc/sys/net/ipv4/conf/bnep0/rp_filter
Also,
echo "1" > /proc/sys/net/ipv4/conf/bnep0/log_martians
You can then check your kernel log to see if reverse-path filtering is 
causing you problems, which is a good possibility.  If you see martian 
packets in your log after setting rp_filter for the interface to 2 per 
above (but you shouldn't), then you could RPF entirely:
echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/bnep0/rp_filter
... but I don't think that should be needed.

Also check your filter rules in iptables, are you explicitly dropping 
the packets?

> Diego Lima wrote:
>> 1 - Edit /etc/iproute2/rt_tables and add this:
>> 10 bluez
>>
>> 2 - Add the route and rule:
>> # ip route add via 192.168.21.1 dev bnep0 table bluez
>> # ip rule add fwmark 10 lookup bluez
>>
>> 3 - Add the iptables rules:
>> iptables -t mangle -I PREROUTING -i wlan0 -s 192.168.0.0/24 -p tcp -m
>> multiport --dports 80,443,8080 -j MARK --set-mark 10
>> iptables -t nat -I POSTROUTING ! -o lo -j MASQUERADE
Your masquerading looks to me to be overly aggressive, why masquerade 
packets going out to wlan0?
iptables -t nat -A POSTROUTING -o bnep0 -j MASQUERADE

If you have externally-originated incoming connections on bnep0 (I guess 
not, your message sounds like all of your traffic on bnep0 is 
connections that are originating from the LAN) -- but if so, you need 
more routing rules or iptables fwmark to make sure than inbound 
connections from bnep0 go back out through bnep0.

Hope that helps,
-- David

Re: Selectively routing packets through different links

[Diego Lima]

Hi David,

Thanks a lot for the tip! It worked like a charm after changing the
rp_filter parameter. What are the downsides of having it turned off?

Thanks!

2010/6/11 David Favro <netfilter@meta-dynamic.com>:
> John Lister wrote:
>>
>> I suspect you need to save the mark in the conntrack table so that it is
>> applied to every related packet - I've got a similar configuration except I
>> route out of multiple interfaces depending upon load and took a while to get
>> working reliably.
>
> You shouldn't need to use CONNMARK because all of the outbound packets will
> have the same destination port and thus get marked by MARK, and the inbound
> packets don't typically need to get marked for a special routing table;
> however it might be a good idea to use CONNMARK anyhow, it may help with
> reverse-path filtering -- but alternatively, I would recommend turning RPF
> off anyhow:
> echo "2" > /proc/sys/net/ipv4/conf/bnep0/rp_filter
> Also,
> echo "1" > /proc/sys/net/ipv4/conf/bnep0/log_martians
> You can then check your kernel log to see if reverse-path filtering is
> causing you problems, which is a good possibility.  If you see martian
> packets in your log after setting rp_filter for the interface to 2 per above
> (but you shouldn't), then you could RPF entirely:
> echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
> echo "0" > /proc/sys/net/ipv4/conf/bnep0/rp_filter
> ... but I don't think that should be needed.
>
> Also check your filter rules in iptables, are you explicitly dropping the
> packets?
>
>> Diego Lima wrote:
>>>
>>> 1 - Edit /etc/iproute2/rt_tables and add this:
>>> 10 bluez
>>>
>>> 2 - Add the route and rule:
>>> # ip route add via 192.168.21.1 dev bnep0 table bluez
>>> # ip rule add fwmark 10 lookup bluez
>>>
>>> 3 - Add the iptables rules:
>>> iptables -t mangle -I PREROUTING -i wlan0 -s 192.168.0.0/24 -p tcp -m
>>> multiport --dports 80,443,8080 -j MARK --set-mark 10
>>> iptables -t nat -I POSTROUTING ! -o lo -j MASQUERADE
>
> Your masquerading looks to me to be overly aggressive, why masquerade
> packets going out to wlan0?
> iptables -t nat -A POSTROUTING -o bnep0 -j MASQUERADE
>
> If you have externally-originated incoming connections on bnep0 (I guess
> not, your message sounds like all of your traffic on bnep0 is connections
> that are originating from the LAN) -- but if so, you need more routing rules
> or iptables fwmark to make sure than inbound connections from bnep0 go back
> out through bnep0.
>
> Hope that helps,
> -- David
>
>



-- 
Diego Lima

Selectively routing packets through different links

[Diego Alencar Alves de Lima]

Hello all,

I'm trying to send http packets through a link that is not my default
gateway, using iptables and iproute2 on a Ubuntu 9.10 server (ip
address: 192.168.0.193 on the lan and 192.168.21.1 on the wan). Its
default gateway is the address 192.168.0.7 on my wlan0 interface and
its alternative gateway is 192.168.21.1 on bnep0. Packets from my LAN
arrive on the same wlan0 interface. Here's what I've done:

1 - Edit /etc/iproute2/rt_tables and add this:
10 bluez

2 - Add the route and rule:
# ip route add via 192.168.21.1 dev bnep0 table bluez
# ip rule add fwmark 10 lookup bluez

3 - Add the iptables rules:
iptables -t mangle -I PREROUTING -i wlan0 -s 192.168.0.0/24 -p tcp -m
multiport --dports 80,443,8080 -j MARK --set-mark 10
iptables -t nat -I POSTROUTING ! -o lo -j MASQUERADE

The FORWARD policy is currently set to ACCEPT and
/proc/sys/net/ipv4/ip_forward is set to 1. When I do this I can see
the packets coming from my local network to to the internet get out
and I see them on the router 192.168.21.1. I can also see the replies
on the router and bnep0, but they don't go back to the host on wlan0.

Here is the tcpdump results of a simple wget:

---
On the host 192.168.0.201 (the one trying to fetch a page):

13:04:49.639213 IP 192.168.0.201.37844 > 64.233.163.104.80: Flags [S],
seq 1417172792, win 5840, options [mss 1460,sackOK,TS val 194061171
ecr 0,nop,wscale 6], length 0
13:04:52.635912 IP 192.168.0.201.37844 > 64.233.163.104.80: Flags [S],
seq 1417172792, win 5840, options [mss 1460,sackOK,TS val 194061921
ecr 0,nop,wscale 6], length 0
13:04:58.635909 IP 192.168.0.201.37844 > 64.233.163.104.80: Flags [S],
seq 1417172792, win 5840, options [mss 1460,sackOK,TS val 194063421
ecr 0,nop,wscale 6], length 0


--
On the firewall 192.168.0.193 (the host's default gw and the firewall
where I set the iptables/routing rules):
tcpdump on bnep0:

diego@gilead:/tmp$ sudo tcpdump -ni bnep0 ip proto \\tcp and ! port 22
and host 64.233.163.104
listening on bnep0, link-type EN10MB (Ethernet), capture size 96 bytes
13:07:56.556892 IP 192.168.21.2.43346 > 64.233.163.104.80: Flags [S],
seq 182141507, win 5840, options [mss 1460,sackOK,TS val 194109829 ecr
0,nop,wscale 6], length 0
13:07:58.450327 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
val 3547510252 ecr 194109829,nop,wscale 6], length 0
13:07:58.719166 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
val 3547510586 ecr 194109829,nop,wscale 6], length 0
13:07:59.328302 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
val 3547511190 ecr 194109829,nop,wscale 6], length 0
13:07:59.553165 IP 192.168.21.2.43346 > 64.233.163.104.80: Flags [S],
seq 182141507, win 5840, options [mss 1460,sackOK,TS val 194110579 ecr
0,nop,wscale 6], length 0
13:07:59.658279 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
val 3547511511 ecr 194109829,nop,wscale 6], length 0


tcpdump on wlan0:
diego@gilead:/tmp$ sudo tcpdump -ni wlan0 ip proto \\tcp and ! port 22
and host 64.233.163.104
listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes

13:09:12.992642 IP 192.168.0.201.43347 > 64.233.163.104.80: Flags [S],
seq 1388896619, win 5840, options [mss 1460,sackOK,TS val 194128940
ecr 0,nop,wscale 6], length 0
13:09:15.988847 IP 192.168.0.201.43347 > 64.233.163.104.80: Flags [S],
seq 1388896619, win 5840, options [mss 1460,sackOK,TS val 194129690
ecr 0,nop,wscale 6], length 0
13:09:21.990494 IP 192.168.0.201.43347 > 64.233.163.104.80: Flags [S],
seq 1388896619, win 5840, options [mss 1460,sackOK,TS val 194131190
ecr 0,nop,wscale 6], length 0

--
On the wan router 192.168.21.1:

13:11:47.844163 IP 192.168.21.2.43348 > 64.233.163.104.80: S
3792068799:3792068799(0) win 5840 <mss 1460,sackOK,timestamp
194167380[|tcp]>
13:11:49.613021 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 <mss
1410,sackOK,timestamp 3532709843[|tcp]>
13:11:49.868738 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 <mss
1410,sackOK,timestamp 3532710158[|tcp]>
13:11:50.473167 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 <mss
1410,sackOK,timestamp 3532710762[|tcp]>
13:11:50.833945 IP 192.168.21.2.43348 > 64.233.163.104.80: S
3792068799:3792068799(0) win 5840 <mss 1460,sackOK,timestamp
194168130[|tcp]>
13:11:50.913043 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 <mss
1410,sackOK,timestamp 3532711202[|tcp]>
13:11:51.733704 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 <mss
1410,sackOK,timestamp 3532712022[|tcp]>
13:11:54.149590 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 <mss
1410,sackOK,timestamp 3532714438[|tcp]>

--

As far as I can see the packets arrive at my firewall just fine but it
never routes them back to the host originating the request. Am I
missing something there?

Thanks and sorry for the long email :)

Diego Alencar Alves de Lima
http://www.diegolima.org
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html