Hi,
Yesterday a network engineer at my site pointed me to some strange entries
in his Cisco logs:
Nov 21 16:35:19 6X:mgw-rt21 4794649: Nov 21 16:36:43 CET:
%SEC-6-IPACCESSLOGP: list net30a-in denied tcp 192.168.0.1(80) ->
12.34.56.78(6666), 1 packet
(Note that the ip-adresses above have been faked by me to not disclose the
real adresses)
This log is from one of our edge routers which are responsible for routing
traffic to the internet. It was clear something on our network was trying
to use a private ip-adress to reach a public ip-adress on the internet.
As we use unique private ip-adresses I was able to easily track this
private ip-adress down to our LVS (DR). I decided to use iptables on one
of the machines to do some logging:
iptables -A OUTPUT -o eth0 -s 192.168.0.0/16 -j LOG
This logs all traffic going out on eth0 (public interface) with a source
adress of 192.168.x.x. Resulting entries in my syslog look like this:
Nov 22 09:11:27 kaa kernel: IN= OUT=eth0 SRC=192.168.0.1 DST=12.34.56.78
LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=12467 DF PROTO=TCP SPT=80 DPT=6414
WINDOW=6432 RES=0x00 ACK URGP=0
Nov 22 09:11:27 kaa kernel: IN= OUT=eth0 SRC=192.168.0.1 DST=87.65.43.21
LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=10715 DF PROTO=TCP SPT=80 DPT=1364
WINDOW=5840 RES=0x00 ACK FIN URGP=0
(Adresses faked again)
So this machine is indeed trying to send packets through it's public
interface using it's private ip-adress (tied to eth1). Why is it doing
this?
My setup:
| | | | gateway (cisco router)
\|/ /|\ /|\ /|\
| | | | eth0 (public ip-adress)
[ BOX1 ] [ BOX2 ] [ BOX3 ] [ BOX4 ]
| | | | eth1 (private ip-adress)
-------------------------------
Requests are coming in through the public interface (eth0) of BOX1, being
distributed by LVS (using DR) to the private interfaces of BOX2, BOX3 and
BOX4, being redirected by an iptables rule, processed by Tux/Apache, and
answers being sent out on the public interfaces of BOX2, BOX3 and BOX4.
I'm using the iptables redirect method:
iptables -t nat -A PREROUTING -i eth1 -p tcp -d $VIP --dport 80 -j
REDIRECT
The LVS seems to work normally (serving peaks of up to 7000 hits/sec), but
I think something maybe wrong on the TCP level though. Does anyone have a
clue why this is happening?
Best regards,
--
Matthijs van der Klip, Unix Administrator
Dutch Public Broadcasting
|