Re: Howto DNAT/SNAT existing TCP session (no SYN, only PUSH/ACK)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 2010-08-11 16:01, Norbert van Bolhuis wrote:
>
> We have a system that looks internally like this:
>
>    eLAN
>      |
>      |
>    --------------
>    | ETH-switch |
>    --------------
>     |p1        |p2
>     |          |
> --------      --------
> |HOST_1|------|HOST_2|
> -------- iLAN --------
>   ]
> ........
> . APPs .
> ........
>
>On HOST_2 the below rule takes care of this:
>iptables -t nat -A PREROUTING -d <eLAN-IP-addr> ! -i iLAN -j DNAT
>--to-destination <iLAN-HOST_1-IP-addr>
>
>Let's say HOST_2 is active and an ESTABLISHED TCP communication is present
>between a system on the eLAN and an APP.

k,

>(of course for HOST_1 the TCP connection will be administrated as
>iLAN-HOST_1-IP-addr/port<-->eLAN-system-IP-addr/port)

What? "pcap language please."


>If the ETH-switch
>rapidly makes p1/HOST_1 active, is it possible to make sure outgoing TCP data
>(that is sent by the APP/HOST_1) is somehow source NAT'ed ?

You have ipt_SNAT at your disposal.

>I ask this because currently the outgoing data (to the system on the eLAN
>carries src-ip=iLAN-HOST_1-IP-addr while I want it to be eLAN-IP-addr.
>
>Anybody know why (TCP of) HOST_1 sends a ReSeT in this case ?

You probably evoked a problem simliar to
http://jengelh.medozas.de/images/dnat-mistake.png
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux