RE: DNAT + 2 uplinks + route = nogo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Good idea. I will check if this works. Is the conmark retained on all packets associated with the connection?

Gaby Schilders
IBFD network admin

-----Original Message-----
From: George Vieira [mailto:georgev@xxxxxxxxxxxxxxxxxxxxxx]
Sent: woensdag 15 oktober 2003 14:23
To: Gaby Schilders; netfilter list
Cc: Ray Leach
Subject: RE: DNAT + 2 uplinks + route = nogo


The only thing I can think of is using the CONNMARK (i think that's the one)
which marks the connection track for this connection. Could he mark the
packets as the new syn comes in? Then use ROUTE in the POSTROUTING chain to
redirect to the correct -o device based on the marked connection tracking
path??? Something like (real rough) this:

# Came in on DEV eth1
-A PREROUTING -t mangle -i eth1 -m state --state NEW -p tcp --dport 80 -j
CONNMARK --set-mark 1
-A PREROUTING -t nat -i eth1 -m state --state NEW -p tcp --dport 80 -j
DNAT --to 192.168.0.1

# Came in on DEV eth2
-A PREROUTING -t mangle -i eth2 -m state --state NEW -p tcp --dport 80 -j
CONNMARK --set-mark 2
-A PREROUTING -t nat -i eth2 -m state --state NEW -p tcp --dport 80 -j
DNAT --to 192.168.0.1

Then on the way out check the marked connection and send it via ROUTE and
the proper device??? I'm not 100% sure on how that part works.....

-----Original Message-----
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Gaby Schilders
Sent: Wednesday, October 15, 2003 9:37 PM
To: netfilter list
Cc: Ray Leach
Subject: RE: DNAT + 2 uplinks + route = nogo


I had the same idea. However, the problem is discerning the packets.

A more indepth explanation of the problem (appologies to all those that know
the internals of netfilter better than I do):

- packets coming in over both lines are correctly DNATted (the rules match
and their count goes up). these packets now have a src-ip of the originating
host but the private address of the DNATted server as dst-ip and are routed
to the internal interface. So far, so good.

- the return packets for connections over both lines go to the linux box's
internal interface with the private address of the DNATted server as src-ip
and the originating host as dst-ip. How must the Linux box discern these
packets and how does it decide to send the replies through which line? Same
goes for the ROUTE target: what matching criteria would you use to discern
the packets? Both packets come from the same src (at that moment of
matching, UnDNATting is the last step of all), both have the same
destination, both have the same incoming interface (the internal interface).

The only distinctions are:
- The original incoming interface for the incoming packet that started this
connection. This information isn't currently kept in the connection-tracking
or state table.

- The original public ip-address that was targeted by the originating host
(there are two addresses, on for each uplink). This information _is_ kept in
the connection-tracking- (or state-) table. It is used to UnNAT the return
packets.

In my honest opinion, for return packets of DNAT connections, routing should
be done _after_ the packet is UnNATted. That way one can use all the
flexibility of iproute2 on these packets while still retaining the current
'view of the world' from iptables.

Alternatively, for a less flexible but workable solution, one can argue that
packets for DNATted connections should always go out on the interface the
the connection came in on. Unfortunatly, this last solution would not help
much in this case because I think it isn't possible with iptables or
iproute2 to select a route on the outgoing interface. (which is logical btw,
that is what one usually uses routing for in the first place, to find the
outgoing interface).

If I'm mistaken and iptables _does_ allow for discerning these packets
(perhaps because I misunderstood and conntrack or the state-table keep this
information after all) then I would appreciate a rule to discern the
packets.


Gaby Schilders
IBFD network admin

-----Original Message-----
From: Ray Leach [mailto:raymondl@xxxxxxxxxxxxxxxxxxxxxx]
Sent: woensdag 15 oktober 2003 12:37
To: Netfilter Mailing List
Subject: Re: DNAT + 2 uplinks + route = nogo


On Wed, 2003-10-15 at 10:23, Gaby Schilders wrote:
> I'm in real trouble here so I hope somebody is able to answer this today
(I know, my mistake in planning doesn't mean you will rush. I can try, can't
I? ;)
>
> Problem as follows:
>
> - 1 linux box with 4 interfaces. Internal (private space), DMZ (can be
ignored for this issue), 2 uplinks to different providers with different
public ranges.
> - DNAT (actually portforwarding) set up to to a few internal boxes on 1
uplink.
> - I want to do DNAT to the same internal IP-addressess over the second
link (obviously with different public ip-addressess).
> - Routing chooses the wrong uplink (gateway) for the return packets.
>
> Cause:
> DNAT is only undone at the last moment so even with iproute2's "ip rule"
trick I can't discern between connections coming in through one link or the
other for the return packets.
>
> Solution that I can think of:
> If connections are DNATted, recall the routing routing after undoing the
DNAT for the return packets. Problems with said solution: I can read C code,
but only barely, and not write it. Also, I have only a very shallow
understanding of the routing code and I'm running out of time. I don't know
if the code allows the distinction between DNAT return packets from all
other packets so that this can be done at all.
>
> Question:
> I have no idea how complex it would be to create this 'hack'. Does anyone
know of a patch that realises this feature or is someone prepared to create
such a patch? If not, whom should I ask instead?
>
You could try the P-O-M ROUTE target patch.
> Desperatly yours,
>
> Gaby Schilders
> IBFD network admin
--
--
Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux