Re: Problem with DNAT of UDP packets getting undone

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



<citaat van="Mongiovi, Roy">
> I've got a DNS server running Redhat EL 3.0 AS on a private network behind
> a load balancer.  UDP queries are supposed to come into the load balancer
> on an internet routable VIP and be sent to the DNS servers on the private
> network.  The DNS servers are supposed to send their responses directly to
> the client via an internet connection that is not behind the load
> balancer.
>
> Unfortunately, the load balancer is sending the query packets to the DNS
> server with the destination IP address set to its private network
> address.  In order to get the responses to appear to come from the load
> balancer's VIP, I have configured the VIP address on the DNS server's
> loopback device as a /32 address.  I put a rule in the nat table
> PREROUTING chain to do a DNAT on the incoming packets so that they would
> appear to be destined for the VIP rather than the private network.  That
> way, when DNS sent the response packet it would automatically come from
> the VIP address.
>
> Unfortunately, this just doesn't quite work.  I've added logging rules to
> the mangle PREROUTING and the INPUT and FORWARD chains so that I can make
> sure the DNAT is happening.  It is.  As far as packets going into the
> server everything is according to plan.  I also added logging rules to all
> the OUTPUT and POSTROUTING chains, and here's where things get strange.  I
> see the response packet generated by the DNS software in the mangle and
> filter OUTPUT chains as well as the mangle POSTROUTING chain.  In all
> cases it has the desired VIP source IP.  But for some reason, I don't see
> it in the nat OUTPUT or POSTROUTING chains.  I don't really understand
> that at all.
>
> But the real problem is that when the packet exits the server (as verified
> by tcpdump), the source IP has been changed back to the private network
> IP.  How and why is that happening, and is there any way to accomplish
> what I'm attempting? Thanks.

This is expected. A nat mapping is set up on the first packet of a
"connection" and a reverse NAT is done automagically on all return
packets. Exactly what you are seeing.

This cannot easily be solved with current Linux kernels. Current kernels
only do connection oriented NAT. You could insert a Cisco device or
something similar to do the kind of NAT you require.

But......, the loadbalancer does DNAT, so it shoud do the corresponding
SNAT on the return packets. If it does not do this, it is seriously
broken, imnsho.

HTH,
M4

-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux