RE: routing TCP to another box preserving ORIGINAL client IPs

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alec,

 : I tried implementing DNAT as you indicated:
 : 
 : iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1
 : 
 : After that, I can see SYN packets arriving on BOX_B_ETH1, having 
 : the original client's IP.

OK, that means DNAT + routing on your BOX_A is working correctly.

 : Only half of the connection gets established after this: I cannot 
 : see ACK packets from box B anywhere (neither on BOX_B_ETH0, nor 
 : on BOX_A_ETH0).

This is where your problem lies now.  You need to find out why the 
SYN (which you said was transmitted to BOX_B_ETH1) is not getting 
accepted by this IP stack.

  * reverse path filtering (net.ipv4.conf.*.rp_filter)
  * packet filtering rules on BOX_B?

 : I think the reason is that since box A never sends a SYN packet 
 : itself, it never classifies the connection as ESTABLISHED, so all 
 : further traffic gets rejected. It's still a mystery to me what 
 : happens to SYN packets from be in this scenario however.

BOX_A will never have a socket in ESTABLISHED state.  BOX_A will 
have a state entry in the /proc/net/ip_conntrack table.  Examine 
/proc/net/ip_conntrack after sending a SYN to BOX_B.

 : It turns out that I have to supplement DNAT with SNAT for this to work
 : correctly.
 : On box A:
 : iptables -t nat -i eth0 -p tcp -m tcp --dport $SERVER_PORT -j DNAT
 : --to-destination $BOX_B_ETH1
 : iptables -t nat -A POSTROUTING -d $BOX_B_ETH1 -p tcp -m tcp --dport
 : $SERVER_PORT -j SNAT --to-source $BOX_A_ETH1

If this works, then I think you problem may be reverse path 
filtering.

 : in this case, the clients can connect, however the server on B 
 : sees only IP of BOX_A_ETH1, not the original client IPs.

[ tproxy recommendation snipped ]

- -Martin

- -- 
Martin A. Brown
http://linux-ip.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/)

iD8DBQFF8OURHEoZD1iZ+YcRAoenAJ9XCZyMf4K7TVCTs28bzIGeu3EEewCg07Cw
Spk8a+T/th+ESyPN4hSTjYs=
=k+5E
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux