Re: [LARTC] multiple uplinks/iptables -t nat -PREROUTING funny

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>>>>> "Russell" == Russell Senior <seniorr@xxxxxxxxxxx> writes:

>>>>> "Martin" == Martin A Brown <mabrown-lartc@xxxxxxxxxxxxxx> writes:

Russell> When I connect to the port forwarded address from the
Russell> outside, it looks like the returning packets are getting
Russell> routed _before_ the source IP is translated (and thus aren't
Russell> matching a special rule and thus get routed according to the
Russell> default rule).  Everything else seems to be working fine.

Russell> Has anyone seen this?  Is it a bug or am I just confused?

Martin> This is not a bug--this is a fact of packet flow through the
Martin> kernel.  See the kernel packet traveling diagram (KPTD) [1]
Martin> for more details on the sequence of operations.  So to answer
Martin> your question: you must be confused!  :)

Russell> What that very nice diagram doesn't show is how the reply
Russell> packets to DNAT'd connections are handled.  The prima facie
Russell> evidence seems to be that DNAT was in the PREROUTING iptable
Russell> and "consequently" the reverse translation should occur
Russell> before routing.  That is the source of my confusion.

Martin> You should try adding just one more rule:

Martin> # ip rule add from 192.168.0.2 table T2

Russell> That would "work", but it is kind of messy.  What if I have a
Russell> second DNAT from IF1 that also forwards to 192.168.0.2?  It
Russell> would get complicated in a hurry.

Russell> All would be solved if the reverse translation just occurred
Russell> in PREROUTING as seems like it "should".  I don't understand
Russell> yet why it doesn't.  Perhaps there is a good reason that I
Russell> just don't see.  Or, maybe there isn't a good reason, and it
Russell> should be "fixed".  Too soon for me to say.

Just as a followup to this: a relatively clean solution is to mark the
reply packets:

  iptables -t mangle -I PREROUTING -m conntrack --ctstate DNAT --ctorigdst eee.fff.ggg.11 -j MARK --set-mark 2

  ip rule add fwmark 2 table T2

and make sure that rp_filter is appropriately off:

  echo 0 > /proc/sys/net/ipv4/conf/<if>/rp_filter



-- 
Russell Senior         ``I've seen every kind of critter God ever made,
seniorr@xxxxxxxxxxx      and I ain't never seen a meaner, lower, more
                         stinkin' yellow hypocrite than you!'' 
                                        -- Burl Ives as Rufus Hennessy
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux