how to get srcnat modified src ip/port after postrouting

greencomputing · August 13, 2012, 10:24am

Hi folks

do you think is possible to create a new chain, may be using a sort of trick (trough virtual interfaces, brdiges,etc) , to have extra processing just after srcnat rules (immediately after postrouting). My goal is to discover the ip used as src ip /port as applied by the src nat rules.

To clarify, before src-nat action, I have a client request to dst tcp port 80 and dst ip a.b.c.d using as private src ip x.y.z.w and src port K. how may I discover the new src ip as output of src nat action immediately before the packet leave the router using src ip x1.y1.z1.w1 and src port K1?

I had already in the past several suggestion on use other way like packet flow and accounting but this are not feasible and didn’t fit my requirements. The solution if exist needs to use firewall chains.

thanks a lot for your interests in the question

have a nice day

peson · August 13, 2012, 11:51am

Is src a.b.c.d and dst x.y.z.w already known?
Is it a kind of traffic logging that you want?

greencomputing · August 13, 2012, 12:46pm

if it help to describe the solution , yes, think that we already know the src priavte ip/port and dst /port and we want to know the modified public src ip/port as built by src nat rule. The reqirement is that this natted src ip/port must be recorded/logged automaically by a firewall/filter/nat rule.

peson · August 13, 2012, 7:26pm

-Create a bridge which includes the internet connected interface.
-Change interface of the external IP to the bridge.
-Create a mangle rule in the firewall forward chain with action mark connection and passthrough
-Create a second mangle rule in the firewall forward chain which uses the connection mark to mark the packets.
-Finaly, create a log rule in the bridge output chain that’s using the packet mark.

Prepare to have a massive log, but that’s an other problem

Edit:

/ip firewall mangle
add action=mark-connection chain=forward dst-address=8.8.8.8 new-connection-mark=GDNS-conn
add action=log chain=forward connection-mark=GDNS-conn connection-state=new log-prefix=FW-GDNS
add action=mark-packet chain=forward connection-mark=GDNS-conn connection-state=new new-packet-mark=GDNS-pack passthrough=no
/interface bridge filter
add action=log chain=output log-prefix=BR-GDNS packet-mark=GDNS-pack

This will result in logged packets only for new connection establishing
Results in log:

23:18:39 firewall,info FW-GDNS forward: in:pppoe-rt-bfs-3 out:br-int, proto UDP, 172.32.1.2:1142->8.8.8.8:53, len 68
23:18:39 firewall,info BR-GDNS output: in:(none) out:ether5, src-mac 00:0c:42:b4:8a:61, dst-mac 00:33:43:79:c3:d0, eth-proto 0800, UDP, 96.110.62.55:1142->8.8.8.8
:53, len 68
23:18:39 firewall,info FW-GDNS forward: in:pppoe-rt-bfs-3 out:br-int, proto UDP, 172.32.1.2:1143->8.8.8.8:53, len 64
23:18:39 firewall,info BR-GDNS output: in:(none) out:ether5, src-mac 00:0c:42:b4:8a:61, dst-mac 00:33:43:79:c3:d0, eth-proto 0800, UDP, 96.110.62.55:1143->8.8.8.8
:53, len 64

greencomputing · August 13, 2012, 11:30pm

Hi peson

it’s working

thank you so much for the effort you applied to solve my problem.

really appreciated.

have a nice day!

peson · August 15, 2012, 6:16am

Thanks for your appreciation.