Hi Erik, I am happy to look into the network namespace-based approach that you have mentioned but before that I tried to use DNAT on my Linux box but ended up having the following error. iptables v1.4.21: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Please note that I used a kernel source version (3.19.8-ckt5+) to compile and install iptables module using "menuconfig" (Networking support > Networking options > Network packet filtering framework (Netfilter) > IP: Netfilter Configuration > IP tables support (required for filtering/masq/NAT)). Could you shed some light on this please? Thanks, Danushka On Tue, Dec 1, 2015 at 11:24 AM, Erik Auerswald <auerswal@xxxxxxxxxxxxxxxxx> wrote: > Hi, > > On Tue, Dec 01, 2015 at 07:10:25AM -0800, Martin A. Brown wrote: >> >> Hello Danushka, >> >> >I am trying to use a Linux box as a pass-through node using rinetd >> >as a port forwarding mechanism. I see that TOS is always zero on >> >the egress path so that my receiver does not receive the TOS values >> >I set on the sender. >> >> Do you need the TCP session to be terminated in userspace (and >> re-initiated)? That's what's happening with rinetd. You are using >> it as a TCP proxy. The Linux box is acting as a (TCP) receiver on >> one side, and initiating a brand new TCP connection outbound. >> That's why the ToS value is changing. >> >> Next question: When you say 'pass-through' node, I am not certain >> what you mean. Do you want your Linux box to act like a router? >> If so, then, that's very easy: >> >> sysctl -w net.ipv4.ip_forward=1 >> >> Now, you have a router. Send packets to the ultimate destination >> from your sender node. Make sure that you configure your routes >> properly (maybe that's already done). >> >> >Is there a way to solve this issue?. Maybe rinetd does not copy the >> >values properly?. >> >> I do not know rinetd. Perhaps somebody else does. >> >> >Probably there is a better/smarter way to do port forwarding (getting >> >my Linux box to work just as a pass-through node). Please let me know >> >if there is any other way to do that. >> >> How many values are you changing in the packet? Just the >> destination port? Also the destination address? >> >> I'm thinking that iptables NAT may provide you a solution. Assuming >> you are just messing with the destination address and port, you >> should be able to use iptables DNAT. I'd suggest reading these: >> >> http://linux-ip.net/html/nat-dnat.html >> https://www.frozentux.net/iptables-tutorial/chunkyhtml/x4033.html > > I am using the above ideas for TCP port forwarding, it is basically: > > - Destination NAT in the PREROUTING chain for packets going through the > box (ip forwarding needs to be enabled) > - Destination NAT in the OUTPUT chain for local testing of the port > forwarding > - Masquerading to have symmetric traffic flow and easier firewalling for > the systems the ports are forwarded to > > I use this to forward console server sessions to a bunch of individual > console servers. Clients connect to the IP of the port forwarder. There a > numbering scheme is used to easily identify the machine to connect to, and > the TCP session is forwarded to the correct physical console server. > > You can leave out any parts you do not need for you use case. ;-) > > Anyway, for testing routing performance, I'd go with a setup using two > interfaces on the "router" which are in different subnets, and connect one > of those to the "receiver", the other to the "sender". IP connections from > sender to receiver need to use the router. > > For testing network stuff on one machine, network namespaces come in handy. > You can experiment with the "ip netns" command set to create virtual > interfaces in different network namespaces that cannot communicate directly > with each other. You can then add a router in the global namespace to > connect them (or use VLANs and a bridge to get them to an externam router). > No need for full VMs. ;-) > > HTH, > Erik > -- > Thanks to the virtue of me personally not caring one whit about > virtualization, I can stand back and just watch the fireworks. > -- Linus Torvalds -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
