0

When i trace some raw output packets from a specific application, i get the following output where a packets destination address is magically changed from 10.10.20.20 to 127.1.1.1. Is there any way of bypassing this by getting the raw packet "as is" to the output?

trace id fd9543bc ip raw OUTPUT packet: oif "br0" ip saddr 10.10.10.10 ip daddr 10.10.20.20 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 26448 ip length 60 tcp sport 34188 tcp dport 80 tcp flags == syn tcp window 64240
trace id fd9543bc ip raw OUTPUT rule meta l4proto tcp ip daddr 10.10.20.20 counter packets 52 bytes 4540 meta nftrace set 1 (verdict continue)
trace id fd9543bc ip raw OUTPUT verdict continue
trace id fd9543bc ip raw OUTPUT policy accept
trace id fd9543bc ip filter OUTPUT packet: oif "br0" ip saddr 10.10.10.10 ip daddr 127.1.1.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 26448 ip length 60 tcp sport 34188 tcp dport 8080 tcp flags == syn tcp window 64240
trace id fd9543bc ip filter OUTPUT verdict continue
trace id fd9543bc ip filter OUTPUT policy accept
trace id fd9543bc inet filter output packet: oif "br0" ip saddr 10.10.10.10 ip daddr 127.1.1.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 26448 ip protocol tcp ip length 60 tcp sport 34188 tcp dport 8080 tcp flags == syn tcp window 64240
trace id fd9543bc inet filter output verdict continue
trace id fd9543bc inet filter output policy accept

iptables-save output

# Generated by iptables-save v1.8.7 on Thu Nov 18 22:40:01 2021
*nat
:PREROUTING ACCEPT [14:1295]
:INPUT ACCEPT [14:1295]
:OUTPUT ACCEPT [2:196]
:POSTROUTING ACCEPT [4:316]
-A PREROUTING -i ens192 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.1.1.1:8080
COMMIT
# Completed on Thu Nov 18 22:40:01 2021
# Generated by iptables-save v1.8.7 on Thu Nov 18 22:40:01 2021
*mangle
:PREROUTING ACCEPT [15:1154]
:INPUT ACCEPT [172:24172]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [222:44999]
:POSTROUTING ACCEPT [222:44999]
:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
COMMIT
# Completed on Thu Nov 18 22:40:01 2021
r0b0tron
  • 3
  • 1
r0b0tr0n
  • 1
  • 1
  • this looks like `REDIRECT` rule in action. Please, show your complete `iptables-save`. – Nikita Kipriyanov Nov 17 '21 at 14:16
  • See also OP's newer question: https://serverfault.com/questions/1083764/stunnel-outgoing-packets-strangely-modified – A.B Nov 17 '21 at 23:25
  • Ok, you have DNAT rule and it works exactly as it should, it translates address. Could you please describe how everything is supposed to work? For example, if some specific packets should not be DNATed, which ones? Also, you have some rules that typical for a transparent proxy setup, but there is no final TPROXY rule and it has the DNAT rule which isn't used in such setup, what is it for? – Nikita Kipriyanov Nov 19 '21 at 07:40
  • I have described the whole setup in my other question (https://serverfault.com/questions/1083764/stunnel-outgoing-packets-strangely-modified). Here i want to discuss what possibilities exist, to keep the packets seen table "raw" in the OUTPUT chain, as they are and not get them modified. – r0b0tr0n Nov 23 '21 at 09:08

0 Answers0