Iptables – ICMP ECHO REPLY is not being SNATed correctly

iptablesmasqueradenetworkingopenvpnubuntu-14.04

I am trying to provide L3 connectivity between two remote LAN networks (10.0.0.0/24, 10.0.1.0/24) using OpenVPN with the following setup:

+----------------+  +---------------------+  +---------------------+
|VM A            |  |VM B (OpenVPN Server)|  |VM C (OpenVPN Client)|
|eth0:10.0.0.5/24|--|eth0:10.0.0.4/24     |  |eth0:10.0.1.4/24     |
+----------------+  |tun0:10.8.0.1/32     |==|tun0:10.8.0.2/32     |
                    +---------------------+  +---------------------+

Providing following IP table rule:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.0.0.4

Pinging VMC->VMA(10.0.0.5) ICMP echo request's IP is SNATed correctly on VM B:

VM-B# tcpdump -i eth0 icmp
09:27:36.170555 IP 10.0.0.4 > 10.0.0.5: ICMP echo request, id 4049, seq 2, length 64
09:27:36.171201 IP 10.0.0.5 > 10.0.0.4: ICMP echo reply, id 4049, seq 2, length 64

But pinging VMA->VMC(10.0.1.4) echo reply's IP is NOT SNATed on VM B:

VM-B# tcpdump -i eth0 icmp
09:33:31.791095 IP 10.0.0.5 > 10.0.1.4: ICMP echo request, id 6590, seq 2, length 64
09:33:31.795299 IP 10.0.1.4 > 10.0.0.5: ICMP echo reply, id 6590, seq 2, length 64

which in my case results in dropping the packet by other underlying (VM's host machine) anti-spoofing iptables rules to prevent IP spoofing.

I don't understand why is the ICMP echo reply packet not being SNATed properly and how to make it happen. Thank you.

Best Answer

The ICMP echo-reply is the return half of a connection, and they're handled differently, for a reason.

Firstly, if you did manage to do what you want, you'd break PING: VMA would send an ICMP echo-request to 10.0.1.4, but get an ICMP echo-reply (PONG) from 10.0.0.4. It would not associate that PONG with the PING previously sent, so you'd see 100% packet loss (plus gratuitous PONGs).

The way to handle SNAT on returns is to do DNAT on outbounds, and let the NAT tidy-up logic handle with de-NATting the return half traffic. But you can't do that here, because if you DNAT everything coming into VMB's eth0 to 10.0.0.4, you won't be able to talk to VMB any longer.

So the right thing to do is to fix the underlying problem, and make your host's martian-detection logic fit with your actual IP addressing scheme.

Related Solutions

Openvpn – Pings from VPN network to VPN client work; pings into from VPN client to VPN network fail – why

The root cause of this problem were some implicit default routes that were not visible in the tables displayed by /sbin/route but were visible in tables displayed by /sbin/ip route and /sbin/ip rule.

Then these tables were displayed it became apparent that a rule of this kind:

default table route_eth0 via 10.11.11.1  dev eth0

was overriding this rule:

10.8.0.0        10.11.11.2      255.255.255.0   UG    0      0        0 eth0

By editing /etc/sysconfig/network-scripts/route-eth0 (presumably with /sbin/ip route, though did it manually in this case), I was able to fix the issue.

So, what I learnt from this is that /sbin/route can't be relied upon to give you an accurate picture of Linux's effective routing rules and that it is better to use /sbin/ip for this purpose.

Thanks to ptman whose answer to this question helped me see the light. Thank you ptman!

Iptables – Route traffic to some host in Internet via VPN server

You don't need to mark the packets, To do what are planing to you need the following

in the server config file add the following:

"push route q.q.q.q 255.255.255.255"

The above will push the route to the client side so all the traffic sent from the client to that ip will be sent through the openvpn tunnel.

Also at the server side you need to accept the incomming traffic from the client, you can accept all the traffic comming from the client subnet as following

iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT

you might also need this not sure:

iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT

You need to nat the comming traffic from client to server side [do this on the server side]

iptables -t nat -A POSTROUTING -d q.q.q.q -j SNAT --to-source PUBLIC_IP_OR_YOUR_VPN_SERVER

And you don't need iproute2 or mangle table.

The order of the rules matter, so please them before a matching drop rule

Best Answer

Related Solutions

Openvpn – Pings from VPN network to VPN client work; pings into from VPN client to VPN network fail – why

Iptables – Route traffic to some host in Internet via VPN server

Related Topic