RE: Does Redirect/NAT change the destination port of reverse tuple ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


-----Original Message-----
From: netfilter-devel-owner@xxxxxxxxxxxxxxx
[mailto:netfilter-devel-owner@xxxxxxxxxxxxxxx] On Behalf Of Jan Engelhardt
Sent: Friday, February 29, 2008 4:59 PM
To: Nishit Shah
Cc: netfilter-devel@xxxxxxxxxxxxxxx
Subject: Re: Does Redirect/NAT change the destination port of reverse tuple
?


On Feb 29 2008 16:19, Nishit Shah wrote:
>
>Hi,
>	I have following iptable rule in system.
>
>	iptables -I PREROUTING -t nat -p tcp --dport 443 -j REDIRECT
>--to-ports 3128
>	kernel - 2.6.16.13
>
>	I am using following scenario for load testing
>
>	192.168.206.200 -----> 192.168.121.125 	-----> 	72.14.223.83
>	Client			iptables/proxy server		server
>
>	and I am getting following entry through conntrack binay as well as
>in /proc/net/ip_conntrack
>
>	[NEW] tcp 6 120 NONE src=192.168.206.200 dst=72.14.223.83
>sport=63423 dport=443 packets=1 bytes=48 [UNREPLIED] src=192.168.121.125
>dst=192.168.206.200 sport=3128 dport=46873 packets=0 bytes=0 id=28187887
>
>Now here original and reverse tuples are --> 
>	Original tuple 192.168.206.200:63423->72.14.223.83:443
>	Reply tuple    192.168.121.125:3128->192.168.206.200:46873
>
>So, here destination port of reverse tuple is 46873. Is it correct ?

You could compare with the output of tcpdump to capture the
actual on-wire situation especially regarding port 46873.

In tcpdump output I am seeing packets only with port 63423. No packets with
port 46873. Something like

 192.168.206.200:63423->72.14.223.83:443 Syn
 72.14.223.83:443->192.168.206.200:63423 Syn Ack
 192.168.206.200:63423->72.14.223.83:443 Ack

Also, this happens with heavy load only. In normal conditions destination
port of reverse tuple doesn't change.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel"
in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux