Hey /r/networking!
I'm working on a really strange thing. I want to set up a connection to a server located at $locA in a DMZ network. My test box is sitting in $locB. The server needs to be reachable on tcp/9000, tcp/5000 and tcp/102. I set up DNAT rules on the remote side firewall so those ports are forwarded to the server sitting in the DMZ (using a RFC1918 address).
Both my test box and the firewall at the remote side are linux boxes with your usual array of network tools.
To test the connection, I use nmap on my side. My public IP is 1.2.3.4, remote side is 5.6.7.8. When I run
nmap -p 9000 5.6.7.8
the resulting tcpdump on the remote side looks like this:
15:50:52.568247 IP 1.2.3.4.52056 > 5.6.7.8.80: Flags [S], seq 3553520961, win 29200, options [mss 1380,sackOK,TS val 3258462 ecr 0,nop,wscale 7], length 0 15:50:52.568495 IP 5.6.7.8.80 > 1.2.3.4.52056: Flags [S.], seq 224129858, ack 3553520962, win 28960, options [mss 1460,sackOK,TS val 351697989 ecr 3258462], length 0 15:50:52.596307 IP 1.2.3.4.52056 > 5.6.7.8.80: Flags [.], ack 1, win 29200, options [nop,nop,TS val 3258469 ecr 351697989], length 0 15:50:52.602374 IP 1.2.3.4.52056 > 5.6.7.8.80: Flags [R.], seq 1, ack 1, win 29200, options [nop,nop,TS val 3258469 ecr 351697989], length 0
Yup, that's right: I send a packet on port 9000 and it arrives on port 80. The very same thing happens using port 5000 and 102.
If I try the same thing with -p 80, tcpdump looks the same. Using -p 443, I see a tcp handshake on port 443. But if I use any other port, the packets arrive on port 80.
What the actual fuck is happening here? Am I subject to some provider-side NAT? Anybody else seen this happening? I'm thoroughly confused-
//edit: Adding to this, I have tcptraceroute on both sides, but it doesn't seem to work. Whatever parameters I feed to it, it stops with this message: libnet_write failed? Attempted to write 40 bytes, only wrote -1
No comments:
Post a Comment