Problem with DNAT of UDP packets getting undone

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I've got a DNS server running Redhat EL 3.0 AS on a private network behind a load balancer.  UDP queries are supposed to come into the load balancer on an internet routable VIP and be sent to the DNS servers on the private network.  The DNS servers are supposed to send their responses directly to the client via an internet connection that is not behind the load balancer.

Unfortunately, the load balancer is sending the query packets to the DNS server with the destination IP address set to its private network address.  In order to get the responses to appear to come from the load balancer's VIP, I have configured the VIP address on the DNS server's loopback device as a /32 address.  I put a rule in the nat table PREROUTING chain to do a DNAT on the incoming packets so that they would appear to be destined for the VIP rather than the private network.  That way, when DNS sent the response packet it would automatically come from the VIP address.

Unfortunately, this just doesn't quite work.  I've added logging rules to the mangle PREROUTING and the INPUT and FORWARD chains so that I can make sure the DNAT is happening.  It is.  As far as packets going into the server everything is according to plan.  I also added logging rules to all the OUTPUT and POSTROUTING chains, and here's where things get strange.  I see the response packet generated by the DNS software in the mangle and filter OUTPUT chains as well as the mangle POSTROUTING chain.  In all cases it has the desired VIP source IP.  But for some reason, I don't see it in the nat OUTPUT or POSTROUTING chains.  I don't really understand that at all.

But the real problem is that when the packet exits the server (as verified by tcpdump), the source IP has been changed back to the private network IP.  How and why is that happening, and is there any way to accomplish what I'm attempting? Thanks.
Roy
---
Roy Mongiovi     Senior Member Technical Staff    AT&T Labs, Inc.
       roy.mongiovi@xxxxxxx                            4A70
Tough are the souls that tread the knife's edge     575 Morosgo Drive
       Jethro Tull - "Passion Play"                     Atlanta, GA 30324 

-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux