RE: "distributed router" question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Silvio,

Thanks for your response. 

I still do not understand why SNATting in B to public IP of box A would not
work?
By this I mean the following:

1) Client sends packet to box A ( src: 9.10.11.12 dst: 1.2.3.4 )
2) Box A does DNAT (PREROUTING) to box B ( src: 9.10.11.12 dst: 10.0.0.2 )

Box B receives the packet and replies directly to the client:
1) Box B does SNAT (POSTROUTING) using box A WAN as source (src: 1.2.3.4
dst: 9.10.11.12)

There are two reasons why I'd like to implement it this way:

a) Reduce the load on box A so that the packets from B go directly to the
client 9.10.11.12, bypassing A.
b) The server on box B must log the IPs of all clients (i.e. log the
original client IP  9.10.11.12) 

Thank you,

Alec Matusis


>-----Original Message-----
>From: Silvio Fonseca [mailto:silvio@xxxxxxxxxxxxxxxx] 
>Sent: Saturday, February 24, 2007 8:18 AM
>To: netfilter@xxxxxxxxxxxxxxxxxxx
>Cc: Alec Matusis
>Subject: Re: "distributed router" question
>
>Hello Alec,
>
>In this situation you have to SNAT on box A before sending the 
>packet to box 
>B:
>
>1) Client send packet to box A ( src: 9.10.11.12 dst: 1.2.3.4 )
>2) Box A does DNAT (PREROUTING) to box B ( src: 9.10.11.12 
>dst: 10.0.0.2 )
>3) Box A does SNAT (POSTROUTING) using box A LAN as source ( 
>src: 10.0.0.1 
>dst: 10.0.0.2 )
>
>Box B receives the packet and reply:
>
>1) Box B reply to box A ( src: 10.0.0.2 dst: 10.0.01 )
>2) Box A revert the SNAT ( src: 10.0.0.2 dst: 9.10.11.12 )
>3) Box A revert the DNAT ( src: 1.2.3.4 dst: 9.10.11.12 )
>
>Asymmetrical routing, using box A WAN to receive and box B WAN 
>to send, won't 
>work because you will need to SNAT to the public IP address of 
>B before 
>sending to the public network (source will be 5.6.7.8) while 
>the client is 
>expecting A public address (source 1.2.3.4).
>
>Hope that helps.
>
>Silvio Fonseca
>
>> I am wondering if I am doing something legitimate, or it's 
>against TCP/IP
>> (I am a physicist by education, so I do not know):
>>
>> I have box A that has one connection to WAN and one 
>connection to LAN. On
>> box A, eth0 has a public ip 1.2.3.4 and eth1 has a private 
>ip 10.0.0.1
>>
>> I have box B that also has one connection to WAN and another 
>one to the
>> same LAN. On B, eth0 has a public ip 5.6.7.8 and eth1 has a 
>private ip
>> 10.0.0.2
>>
>> I configured iptables in box A to forward packets destined 
>for 1.2.3.4:3000
>> to the destination 10.0.0.2:3000 , i.e. to box B. This part works, I
>> checked with tcpdumps.
>>
>> Now, the box B after receiving a SYN packet via box A on 
>eth1, sends an ACK
>> packet directly through its WAN interface eth0 to the 
>client. If I do not
>> configure POSTROUTING SNAT , those ACK packets appear to 
>originate from
>> 10.0.0.2, so they are rejected by the client.
>> My question is: if I configure SNAT on box B so that ACK 
>packets appear to
>> come from box A (i.e. from 1.2.3.4), would this be a legitimate
>> configuration?
>>
>> In other words, a SYN packet is sent to one machine, 
>forwarded via LAN to
>> another machine, and the ACK packet is sent from the second 
>machine having
>> the source ip of the first machine. For that matter, all 
>incoming packets
>> from the client are received by A, then forwarded to B, and 
>all response
>> packets are sent directly from B to the client. Is this a legitimate
>> configuration?
>



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux