Re: How does iptables NAT handle IPsec ESP with NAT-T UDP header ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le 23/07/2016 à 20:55, Guy German a écrit :
I will try to clarify the problem with a specific example. I will use 2 flows but there are 4 actually.
The device public IP in this example is 10.0.0.101 so the setup is like the following:

Private domain                         Public domain

2.1.1.1---+                                                          +----------- 10.0.0.1
                 +-------NAT--> 10.0.0.101 ----------+
2.1.2.1---+                                                          +----------- 10.0.0.2

Incoming flow1 (from private network, before NAT) has following header:
Src-IP: 2.1.1.1 (private)
Dst IP: 10.0.0.1 (public)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 33F5A570

Incoming flow2 (from private network, before NAT) has following header:
Src-IP: 2.1.2.1 (private)
Dst IP: 10.0.0.2 (public)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 9B417632

Now, the SNAT is performed (I'm currently not sure what is used exactly as src identifier), so both packets go out with (public) IP 10.0.0.101.
However, after NAT, both UDP ports (drc & dst) remain 4500.

As expected. No need to alter source ports in this situation.

The incoming packets from opposite direction (from public nodes towards NAT device) is as follows (as outgoing packets had both UDP ports 4500, so are the packets in opposite direction):

Incoming flow1 (from public network) has following header:
Src-IP: 10.0.0.1 (public)
Dst IP: 10.0.0.101 (public)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 33F5A570

Incoming flow2 (from public network) has following header:
Src-IP: 10.0.0.2 (public)
Dst IP: 10.0.0.101 (public)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 9B417632

The thing is, that the iptables performs (somehow) the DNAT correctly and the tunnels do work (we can ping from side to side).

Of course it does work. Why wouldn't it ?

So internally after NAT, the packets are as follows:
Incoming flow1 (from public network, after NAT) has following header:
Src-IP: 10.0.0.1 (public)
Dst IP: 2.1.1.1 (private)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 33F5A570

Incoming flow2 (from public network, after NAT) has following header:
Src-IP: 10.0.0.2 (public)
Dst IP: 2.1.2.1 (private)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 9B417632

If both UDP ports are 4500, how did iptables distinguish between the packets and knew which private IP to assign to each packet ?

The connection tracking records original and reply source and destination addresses and ports in order to be able to match packets with registered flows. See my previous reply to display what is recorded about each registered flow.

In your example, the destination address of each flow is different. When a reply packet comes from 10.0.0.1, conntrack knows it must be forwarded to 2.1.1.1. When a reply packet comes from 10.0.0.2, conntrack knows it must be forwarded to 2.1.2.1.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux