Re: How to trace IPSec packets?

["Humberto Jucá" <betolj@gmail.com>]

Hi Glen Huang,


> I have an IPSec tunnel set up between my machine and a server.

- check you source routing address with this command:
ip route get 8.8.8.8

"So, replace your source address to *src ip address*"


> But after dig @8.8.8.8 google.com on my machine, running grep 'TRACE:' /var/log/kern.log on the server returned nothing.

- after this, you need rewrite your firewall rules in a OUTPUT chain:
iptables -t nat -I OUTPUT -s $SRC_ADDRESS -d 8.8.8.8 -p udp
--dport 53 -j DNAT --to-destination 127.0.0.1

"Because you are redirecting your internal traffic, use OUTPUT chain."

2018-01-29 7:07 GMT-03:00 Glen Huang <heyhgl@gmail.com>:
> (Previous message seems to get smudged. This is a resent.)
>
> Hi,
>
> Hope the question isn’t too basic to be asked here.
>
> I have an IPSec tunnel set up between my machine and a server. All
> packets originate from my machine go through that tunnel and then get
> forwarded by the server. I’m trying to redirect DNS request from my
> machine to 8.8.8.8 to a dns forwarder running on the server.
>
> I tried this on the server
>
> iptables -t nat -I PREROUTING -s $IPSEC_VIRTUAL_IP -d 8.8.8.8 -p udp
> --dport 53 -j DNAT --to-destination 127.0.0.1
>
> But it didn't work. To make sure it wasn't because I hadn't allowed
> martian packets or anything. I tried to trace the decrypted packets.
>
> iptables -t raw -I PREROUTING -s $IPSEC_VIRTUAL_IP -d 8.8.8.8 -p udp
> --dport 53 -j TRACE
>
> But after dig @8.8.8.8 google.com on my machine, running grep 'TRACE:'
> /var/log/kern.log on the server returned nothing.
>
> According to this picture:
> https://en.wikipedia.org/wiki/Iptables#/media/File:Netfilter-packet-flow.svg
> after decrypting the ipsec packets, netfilter will make the decrypted
> packets go through the ip stack again, and the trace target should be
> able to catch it.
>
> I wonder if my mental model is incorrect or I missed something?
>
> Regards,
> Glen
>
> On Mon, Jan 29, 2018 at 5:10 PM, Glen Huang <heyhgl@gmail.com> wrote:
>> Hi,
>>
>> Hope the question isn’t too basic to be asked here.
>>
>> I have an IPSec tunnel set up between my machine and a server. All packets originate from my machine go through that tunnel and then get forwarded by the server. I’m trying to redirect DNS request from my machine to 8.8.8.8 to a dns forwarder running on the server.
>>
>> I tried this on the server
>>
>> iptables -t nat -I PREROUTING -s $IPSEC_VIRTUAL_IP -d 8.8.8.8 -p udp --dport 53 -j DNAT --to-destination 127.0.0.1
>>
>> But it didn't work. To make sure it wasn't because I hadn't allowed martian packets or anything. I tried to trace the decrypted packets.
>>
>> iptables -t raw -I PREROUTING -s $IPSEC_VIRTUAL_IP -d 8.8.8.8 -p udp --dport 53 -j TRACE
>>
>> But after dig @8.8.8.8 google.com on my machine, running grep 'TRACE:' /var/log/kern.log on the server returned nothing.
>>
>> According to this picture: https://en.wikipedia.org/wiki/Iptables#/media/File:Netfilter-packet-flow.svg after decrypting the ipsec packets, netfilter will make the decrypted packets go through the ip stack again, and the trace target should be able to catch it.
>>
>> I wonder if my mental model is incorrect or I missed something?
>>
>> Regards,
>> Glen
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html