source IP 8.8.8.8 in OUTPUT chain #135
Replies: 4 comments
-
|
Maybe due to intercept RELATED packages. Remove it from firewall/rules.go: and see if you reproduce it. Anyway, there're many packets that we intercept even without RELATED. TCP_FIN states, etc... no idea why (for example when connecting/reconnecting from a WIFI, or when coming back from suspend state) |
Beta Was this translation helpful? Give feedback.
-
|
I now know what was going on there, I was getting DNS responses from out INPUT rule in onPacket() I think we should avoid any similar confusion in the future and have 2 netfilter queues - 1 for DNS responses, another one for all OUTPUT connections. |
Beta Was this translation helpful? Give feedback.
-
|
This is worth debugging. If you can reproduce it easily you can sniff traffic to/from that port and analyze the response, and strace Did you try to add an additional rule for TCP packets coming from port 53? systemd-resolved seems to be common on ubuntu and derivatives. |
Beta Was this translation helpful? Give feedback.
-
|
strace()ing helped. Turns out resolved starts a TCP Fast Open connection But neither of those packets are shown in wireshark. Which I assume to mean that the packet never leaves the machine. I also assume that the response is crafted inside the kernel with a spoofed IP. |
Beta Was this translation helpful? Give feedback.
-
@gustavo-iniguez-goya , I noticed occasionally there are connections in func newConnectionImpl
like this:
followed by this problematic connection:
coming from /usr/lib/systemd/systemd-resolved
How can the source be 8.8.8.8 ?
Note that this is TCP, not UDP, so it's definitely NOT coming from our iptables rule
This connection is also present when I parse netlink.SocketsDump
Any thought are appreciated.
Beta Was this translation helpful? Give feedback.
All reactions