I recently started segmentation between several old subnets. For this I have set up two subnets (10.20.40.0/24 and 10.68.161.0/24). These two subnets are separated by the UTM.
IPs are:
- 10.68.161.1 = UTM
- 10.68.161.2 = my server = elastic02
- 10.20.40.24 = my workstation
Traffic coming from my workstation to the server via SSH shows no surprises:
terrzfor@elastic02 ~ % sudo tcpdump -n -i any "tcp[tcpflags] & (tcp-syn) != 0 and port 22"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
14:49:38.303560 IP 10.20.40.24.57120 > 10.68.161.2.22: Flags [S], seq 1808819620, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:49:38.303616 IP 10.68.161.2.22 > 10.20.40.24.57120: Flags [S.], seq 700548809, ack 1808819621, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
Traffic coming from my workstation flowing to the server via HTTPs apparently gets NATted:
terrzfor@elastic02 ~ % sudo tcpdump -n -i any "tcp[tcpflags] & (tcp-syn) != 0 and port 443"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:15:53.914602 IP 10.68.161.1.41436 > 10.68.161.2.443: Flags [S], seq 3613153771, win 29200, options [mss 1460,sackOK,TS val 1029716380 ecr 0,nop,wscale 7], length 0
15:15:53.914635 IP 10.68.161.2.443 > 10.68.161.1.41436: Flags [S.], seq 4016378411, ack 3613153772, win 28960, options [mss 1460,sackOK,TS val 189142402 ecr 1029716380,nop,wscale 7], length 0
15:15:53.918097 IP 10.68.161.1.41437 > 10.68.161.2.443: Flags [S], seq 1748235087, win 29200, options [mss 1460,sackOK,TS val 1029716381 ecr 0,nop,wscale 7], length 0
15:15:53.918131 IP 10.68.161.2.443 > 10.68.161.1.41437: Flags [S.], seq 30279257, ack 1748235088, win 28960, options [mss 1460,sackOK,TS val 189142405 ecr 1029716381,nop,wscale 7], length 0
15:15:53.918294 IP 10.68.161.1.41438 > 10.68.161.2.443: Flags [S], seq 2986924860, win 29200, options [mss 1460,sackOK,TS val 1029716381 ecr 0,nop,wscale 7], length 0
15:15:53.918311 IP 10.68.161.2.443 > 10.68.161.1.41438: Flags [S.], seq 3189393017, ack 2986924861, win 28960, options [mss 1460,sackOK,TS val 189142405 ecr 1029716381,nop,wscale 7], length 0
15:16:02.249337 IP 10.68.161.1.41503 > 10.68.161.2.443: Flags [S], seq 4207280564, win 29200, options [mss 1460,sackOK,TS val 1029718464 ecr 0,nop,wscale 7], length 0
15:16:02.249366 IP 10.68.161.2.443 > 10.68.161.1.41503: Flags [S.], seq 4256262539, ack 4207280565, win 28960, options [mss 1460,sackOK,TS val 189150736 ecr 1029718464,nop,wscale 7], length 0
15:16:15.138353 IP 10.68.161.1.41542 > 10.68.161.2.443: Flags [S], seq 1753472627, win 29200, options [mss 1460,sackOK,TS val 1029721687 ecr 0,nop,wscale 7], length 0
15:16:15.138383 IP 10.68.161.2.443 > 10.68.161.1.41542: Flags [S.], seq 1184620351, ack 1753472628, win 28960, options [mss 1460,sackOK,TS val 189163625 ecr 1029721687,nop,wscale 7], length 0
15:16:15.138862 IP 10.68.161.1.41543 > 10.68.161.2.443: Flags [S], seq 167746886, win 29200, options [mss 1460,sackOK,TS val 1029721687 ecr 0,nop,wscale 7], length 0
15:16:15.138885 IP 10.68.161.2.443 > 10.68.161.1.41543: Flags [S.], seq 785051466, ack 167746887, win 28960, options [mss 1460,sackOK,TS val 189163626 ecr 1029721687,nop,wscale 7], length 0
Any ideas which setting to use to adjust that behavior?
This thread was automatically locked due to age.