Masquerading, portnumber wierdness!

From: Christian Robottom Reis (kiko@async.com.br)
Date: Wed May 17 2000 - 17:56:05 EDT

Next message: Daniel Shane: "Re: Question on the IP aliasing implementation."

Previous message: Vojtech Pavlik: "Re: Linux on the TI-89/92[+]???"
Next in thread: Rick: "Re: Masquerading, portnumber wierdness!"
Reply: Rick: "Re: Masquerading, portnumber wierdness!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Sorry for cross-posting, rustcorp.com is dead!]

My masqueraded boxes inside a simple ethernet network fail to connect to
certain websites (nfs.sourceforge.net is a clean example). The gateway
itself connects fine; tracing connections through my external link down
with a packet analyzer I see the following:

Originating request on the gateway/masquerader: normal tcp handshake goes
fine, connection is established, we send HTTP request, get an ack and data
starts flowing in.

Originating request on an internal box: normal tcp handshake, connection
ok, we send HTTP request, get the ack and then, _nothing happens_.

No data flows in!

The only difference I can spot is the high source port numbers, but this
shouldn't be a problem, should it? Masqueraded connections go out from
ports > 62000 and normal connections stay < 2000. But apart from that, I
can see no real difference. The HTTP response is simply never sent!

The configuration is the simplest possible and works for just about
anywhere I've tried (it's a simple -I forward -s 192.168.99.0/24 -j MASQ

This happens with yahoo's images as well, served from yimg.com, and on
several other sites. I first dismissed it as a network problem, but then I
noticed that from my gateway I could connect. Mighty strange. Seems like
it's limited to the web, and we're not proxying anything that I can see.

I begin to think this has nothing to do with masquerading; it's just being
triggered by the high port numbers. Is there a way to bind to these high
port numbers? It seems they're reserved and I can't bind to anything over
62000. Seems like somebody out there is filtering out the high destination
ports.

Anyone seen anything like it? Could some router along the way be killing
high source port numbers? Security measures?

Cheers,

-- /\ Christian Reis exists solely to answer kiko@async.com.br \'`/ Async Free SW Development | http://async.com.br | +55 16 274 2497

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Daniel Shane: "Re: Question on the IP aliasing implementation."
Previous message: Vojtech Pavlik: "Re: Linux on the TI-89/92[+]???"
Next in thread: Rick: "Re: Masquerading, portnumber wierdness!"
Reply: Rick: "Re: Masquerading, portnumber wierdness!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed May 17 2000 - 18:00:17 EDT