Hello again Tom, After a busy week I got back to this and I have some
interesting data. After a bit more than 2 hours of monitoring, in tcpdump I
found the time that the first packets start to be directed
(inappropriately) via wlan1 to the address that was the original
destination, 10.1.0.252.
Around that time I found the following conntrack -E entries (readable times
added):
08:47:57 [1525420077.899523] [DESTROY] udp 17 src=10.1.0.3
dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40
sport=5060 dport=5060 [ASSURED] delta-time=1423
08:48:14 [1525420094.949138] [NEW] udp 17 3607 src=10.1.0.3
dst=10.1.0.252 sport=5060 dport=5060 [UNREPLIED] src=192.168.1.35
dst=192.168.1.40 sport=5060 dport=5060 helper=sip
08:48:39 [1525420119.414182] [UPDATE] udp 17 3600 src=10.1.0.3
dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40
sport=5060 dport=5060 helper=sip
08:48:39 [1525420119.414356] [UPDATE] udp 17 3600 src=10.1.0.3
dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40
sport=5060 dport=5060 [ASSURED] helper=sip
09:04:39 [1525421079.191758] [DESTROY] udp 17 src=10.1.0.3
dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40
sport=5060 dport=5060 [ASSURED] delta-time=985
09:04:39 [1525421079.791446] [NEW] udp 17 3613 src=10.1.0.3
dst=10.1.0.252 sport=5060 dport=5060 [UNREPLIED] src=192.168.1.35
dst=10.1.0.3 sport=5060 dport=5060 helper=sip
Suddenly the DST address is different.
The corresponding tcpdump data on vlan1 is:
09:03:12.540129 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: REGISTER
sip:10.1.0.252 SIP/2.0
09:03:12.570423 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 200 OK
09:03:14.969710 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP
09:03:39.763456 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
sip:10.1.0.252 SIP/2.0
09:03:39.790185 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 504 Server
Time-out
09:03:39.790307 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 504 Server
Time-out
09:03:39.790426 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 504 Server
Time-out
09:04:14.970098 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP
09:04:39.791168 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
sip:10.1.0.252 SIP/2.0
09:04:39.791424 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS sip:
192.168.1.35:5060 SIP/2.0
09:04:40.791264 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
sip:10.1.0.252 SIP/2.0
09:04:40.791467 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS sip:
192.168.1.35:5060 SIP/2.0
09:04:41.790606 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
sip:10.1.0.252 SIP/2.0
09:04:41.790809 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS sip:
192.168.1.35:5060 SIP/2.0
09:04:42.791197 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
sip:10.1.0.252 SIP/2.0
09:04:42.791402 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS sip:
192.168.1.35:5060 SIP/2.0
09:04:43.790635 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
sip:10.1.0.252 SIP/2.0
09:04:43.790846 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS sip:
192.168.1.35:5060 SIP/2.0
09:04:53.791447 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
sip:10.1.0.252 SIP/2.0
Before and after that section, the addresses on vlan1 are always 10.1.0.3
and 10.1.0.252 as they should be.
I also was running tcpdump on wlan1:
(earlier entries are all between 192.168.1.40 and 192.168.1.35)
09:04:14.970293 IP 192.168.1.40.5060 > 192.168.1.35.5060: SIP
09:04:53.791704 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS sip:
192.168.1.35:5060 SIP/2.0
09:04:54.791616 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS sip:
192.168.1.35:5060 SIP/2.0
09:04:55.792774 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS sip:
192.168.1.35:5060 SIP/2.0
(subsequent entries are all from 10.1.0.3 to 192.168.1.35 without responses)
The most interesting part perhaps is syslog, including the output of
shorewall iptrace -p udp --destination-port 5060:
May 4 09:04:09 voyage3 dhclient[1664]: DHCPREQUEST of 192.168.1.40 on
wlan1 to 192.168.1.35 port 67 (xid=0x5104a2ea)
May 4 09:04:14 voyage3 kernel: [477354.231212] TRACE:
raw:PREROUTING:rule:13 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=31 TOS=0x00 PREC=0x60
TTL=64 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
May 4 09:04:14 voyage3 kernel: [477354.231243] TRACE:
raw:PREROUTING:policy:14 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=31 TOS=0x00 PREC=0x
60 TTL=64 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
May 4 09:04:14 voyage3 kernel: [477354.231267] TRACE:
mangle:PREROUTING:policy:1 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=31 TOS=0x00 PREC=
0x60 TTL=64 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
May 4 09:04:14 voyage3 kernel: [477354.231297] TRACE:
mangle:FORWARD:rule:1 IN=vlan1 OUT=wlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=31 TOS=0x00 PRE
C=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
May 4 09:04:14 voyage3 kernel: [477354.231315] TRACE:
mangle:FORWARD:policy:2 IN=vlan1 OUT=wlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=31 TOS=0x00 P
REC=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
May 4 09:04:14 voyage3 kernel: [477354.231332] TRACE:
filter:FORWARD:rule:1 IN=vlan1 OUT=wlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=31 TOS=0x00 PRE
C=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
May 4 09:04:14 voyage3 kernel: [477354.231353] TRACE:
filter:clean_frwd:rule:2 IN=vlan1 OUT=wlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=31 TOS=0x00
PREC=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
May 4 09:04:14 voyage3 kernel: [477354.231368] TRACE:
mangle:POSTROUTING:policy:1 IN= OUT=wlan1 SRC=10.1.0.3 DST=192.168.1.35
LEN=31 TOS=0x00 PREC=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT
=5060 LEN=11
May 4 09:04:24 voyage3 dhclient[1664]: message repeated 3 times: [
DHCPREQUEST of 192.168.1.40 on wlan1 to 192.168.1.35 port 67
(xid=0x5104a2ea)]
May 4 09:04:34 voyage3 dhclient[1664]: DHCPREQUEST of 192.168.1.40 on
wlan1 to 255.255.255.255 port 67 (xid=0x5104a2ea)
May 4 09:04:39 voyage3 avahi-daemon[980]: Withdrawing address record for
192.168.1.40 on wlan1.
May 4 09:04:39 voyage3 avahi-daemon[980]: Leaving mDNS multicast group on
interface wlan1.IPv4 with address 192.168.1.40.
May 4 09:04:39 voyage3 avahi-daemon[980]: Interface wlan1.IPv4 no longer
relevant for mDNS.
May 4 09:04:39 voyage3 dhclient[1664]: DHCPDISCOVER on wlan1 to
255.255.255.255 port 67 interval 3 (xid=0xd862dc03)
May 4 09:04:39 voyage3 kernel: [477379.054124] TRACE:
raw:PREROUTING:rule:13 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:39 voyage3 kernel: [477379.054148] TRACE:
raw:PREROUTING:policy:14 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:39 voyage3 kernel: [477379.054169] TRACE:
mangle:PREROUTING:policy:1 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:39 voyage3 kernel: [477379.054184] TRACE:
nat:PREROUTING:rule:1 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:39 voyage3 kernel: [477379.054224] TRACE:
mangle:FORWARD:rule:1 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:39 voyage3 kernel: [477379.054236] TRACE:
mangle:FORWARD:policy:2 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:39 voyage3 kernel: [477379.054248] TRACE:
filter:FORWARD:rule:1 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:39 voyage3 kernel: [477379.054262] TRACE:
filter:clean_frwd:rule:1 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:39 voyage3 kernel: [477379.054276] TRACE:
filter:dynamic:return:1 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:39 voyage3 kernel: [477379.054288] TRACE:
filter:clean_frwd:rule:4 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:39 voyage3 kernel: [477379.054297] TRACE:
mangle:POSTROUTING:policy:1 IN= OUT=vlan1 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:39 voyage3 kernel: [477379.054306] TRACE:
nat:POSTROUTING:policy:3 IN= OUT=vlan1 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:40 voyage3 kernel: [477380.054284] TRACE:
raw:PREROUTING:rule:13 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37214 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:40 voyage3 kernel: [477380.054308] TRACE:
raw:PREROUTING:policy:14 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37214 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:40 voyage3 kernel: [477380.054326] TRACE:
mangle:PREROUTING:policy:1 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37214 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:40 voyage3 kernel: [477380.054360] TRACE:
mangle:FORWARD:rule:1 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:40 voyage3 kernel: [477380.054373] TRACE:
mangle:FORWARD:policy:2 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:40 voyage3 kernel: [477380.054386] TRACE:
filter:FORWARD:rule:1 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:40 voyage3 kernel: [477380.054400] TRACE:
filter:clean_frwd:rule:1 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:40 voyage3 kernel: [477380.054414] TRACE:
filter:dynamic:return:1 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:40 voyage3 kernel: [477380.054427] TRACE:
filter:clean_frwd:rule:4 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:40 voyage3 kernel: [477380.054437] TRACE:
mangle:POSTROUTING:policy:1 IN= OUT=vlan1 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:41 voyage3 ntpd[2704]: Deleting interface #80 wlan1,
192.168.1.40#123, interface stats: received=0, sent=15, dropped=0,
active_time=992 secs
May 4 09:04:41 voyage3 kernel: [477381.053708] TRACE:
raw:PREROUTING:rule:13 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37215 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:41 voyage3 kernel: [477381.053731] TRACE:
raw:PREROUTING:policy:14 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37215 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:41 voyage3 kernel: [477381.053750] TRACE:
mangle:PREROUTING:policy:1 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37215 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:41 voyage3 kernel: [477381.053783] TRACE:
mangle:FORWARD:rule:1 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:41 voyage3 kernel: [477381.053795] TRACE:
mangle:FORWARD:policy:2 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:41 voyage3 kernel: [477381.053807] TRACE:
filter:FORWARD:rule:1 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:41 voyage3 kernel: [477381.053821] TRACE:
filter:clean_frwd:rule:1 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:41 voyage3 kernel: [477381.053835] TRACE:
filter:dynamic:return:1 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:41 voyage3 kernel: [477381.053847] TRACE:
filter:clean_frwd:rule:4 IN=vlan1 OUT=vlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:41 voyage3 kernel: [477381.053856] TRACE:
mangle:POSTROUTING:policy:1 IN= OUT=vlan1 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:42 voyage3 dhclient[1664]: DHCPDISCOVER on wlan1 to
255.255.255.255 port 67 interval 8 (xid=0xd862dc03)
...
similar
...
May 4 09:04:50 voyage3 dhclient[1664]: DHCPDISCOVER on wlan1 to
255.255.255.255 port 67 interval 9 (xid=0xd862dc03)
May 4 09:04:50 voyage3 dhclient[1664]: DHCPREQUEST of 192.168.1.40 on
wlan1 to 255.255.255.255 port 67 (xid=0x3dc62d8)
May 4 09:04:50 voyage3 dhclient[1664]: DHCPOFFER of 192.168.1.40 from
192.168.1.35
May 4 09:04:50 voyage3 dhclient[1664]: DHCPACK of 192.168.1.40 from
192.168.1.35
May 4 09:04:50 voyage3 systemd[1]: Reloading LSB: start Samba SMB/CIFS
daemon (smbd).
May 4 09:04:50 voyage3 smbd[4693]: * Reloading /etc/samba/smb.conf smbd
May 4 09:04:50 voyage3 smbd[4693]: ...done.
May 4 09:04:50 voyage3 systemd[1]: Reloaded LSB: start Samba SMB/CIFS
daemon (smbd).
May 4 09:04:50 voyage3 avahi-daemon[980]: Joining mDNS multicast group on
interface wlan1.IPv4 with address 192.168.1.40.
May 4 09:04:50 voyage3 avahi-daemon[980]: New relevant interface
wlan1.IPv4 for mDNS.
May 4 09:04:50 voyage3 avahi-daemon[980]: Registering new address record
for 192.168.1.40 on wlan1.IPv4.
May 4 09:04:50 voyage3 dhclient[1664]: bound to 192.168.1.40 -- renewal in
30 seconds.
May 4 09:04:52 voyage3 ntpd[2704]: Listen normally on 81 wlan1
192.168.1.40:123
May 4 09:04:52 voyage3 ntpd[2704]: new interface(s) found: waking up
resolver
May 4 09:04:53 voyage3 kernel: [477393.055430] TRACE:
raw:PREROUTING:rule:13 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37218 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:53 voyage3 kernel: [477393.055460] TRACE:
raw:PREROUTING:policy:14 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37218 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:53 voyage3 kernel: [477393.055484] TRACE:
mangle:PREROUTING:policy:1 IN=vlan1 OUT=
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=10.1.0.252
LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37218 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:53 voyage3 kernel: [477393.055509] TRACE:
mangle:FORWARD:rule:1 IN=vlan1 OUT=wlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:53 voyage3 kernel: [477393.055527] TRACE:
mangle:FORWARD:policy:2 IN=vlan1 OUT=wlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:53 voyage3 kernel: [477393.055544] TRACE:
filter:FORWARD:rule:1 IN=vlan1 OUT=wlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:53 voyage3 kernel: [477393.055566] TRACE:
filter:clean_frwd:rule:1 IN=vlan1 OUT=wlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:53 voyage3 kernel: [477393.055587] TRACE:
filter:dynamic:return:1 IN=vlan1 OUT=wlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:53 voyage3 kernel: [477393.055608] TRACE:
filter:clean_frwd:rule:5 IN=vlan1 OUT=wlan1
MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP SPT=5060 DPT=5060
LEN=525
May 4 09:04:53 voyage3 kernel: [477393.055622] TRACE:
mangle:POSTROUTING:policy:1 IN= OUT=wlan1 SRC=10.1.0.3 DST=192.168.1.35
LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP SPT=5060 DPT=5060
LEN=525
So, what it looks like to me, is that the communications device fails to
respond to DHCP; avahi-daemon (which isn't relevant on this box) is taking
the interface down; the interface recovers, but iptables/shorewall do not,
unless and until I do a conntrack -F.
On spec, I have done: systemctl disable/stop avahi-daemon.service/.socket.
I will be very interested in your assessment.
Best regards, Norm
On Sun, Apr 29, 2018 at 6:47 PM, Norman Henderson <norm.aud...@gmail.com>
wrote:
> Thanks again Tom. I have determined that conntrack -F sends the next
> packet through the nat table and it works correctly. So, I have set a trap,
> with tcpdump on both interfaces, shorewall trace, and conntrack -E; in a
> while I should have results (if the disk doesn't fill up first!)
>
> On Sun, Apr 29, 2018 at 4:30 PM, Tom Eastep <teas...@shorewall.net> wrote:
>
>> On 04/28/2018 10:17 PM, Norman Henderson wrote:
>> > SO, UDP NAT has continued to happen overnight... Keeping that in mind
>> > here is what I get immediately after conntrack -F :
>> >
>> > Apr 29 06:03:50 voyage3 kernel: [34497.236640] TRACE:
>> > raw:PREROUTING:policy:13 IN=vlan1 OUT=
>> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
>> > DST=10.1.0.252 LEN=411 TOS=0x00 PREC=0x60 TTL=64 ID=53015 PROTO=UDP
>> > SPT=5060 DPT=5060 LEN=391
>> > Apr 29 06:03:50 voyage3 kernel: [34497.236685] TRACE:
>> > mangle:PREROUTING:policy:1 IN=vlan1 OUT=
>> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
>> > DST=10.1.0.252 LEN=411 TOS=0x00 PREC=0x60 TTL=64 ID=53015 PROTO=UDP
>> > SPT=5060 DPT=5060 LEN=391
>> > Apr 29 06:03:50 voyage3 kernel: [34497.236716] TRACE:
>> > mangle:FORWARD:rule:1 IN=vlan1 OUT=wlan1
>> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
>> > DST=192.168.1.35 LEN=411 TOS=0x00 PREC=0x60 TTL=63 ID=53015 PROTO=UDP
>> > SPT=5060 DPT=5060 LEN=391
>>
>> Note that the DST IP address changed without the packet going through
>> the nat table. That means that there was already a conntrack entry in
>> place. Were you tracing when you did the 'conntrack -F'?
>>
>> -Tom
>>
>> Note: It is also odd that each trace message was repeated. I deleted the
>> duplicates in the output above.
>>
>> --
>> Tom Eastep \ Q: What do you get when you cross a mobster with
>> Shoreline, \ an international standard?
>> Washington, USA \ A: Someone who makes you an offer you can't
>> http://shorewall.org \ understand
>> \_______________________________________________
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
