Le 23/07/2016 à 20:55, Guy German a écrit :
I will try to clarify the problem with a specific example. I will use 2 flows but there are 4 actually.
The device public IP in this example is 10.0.0.101 so the setup is like the following:
Private domain Public domain
2.1.1.1---+ +----------- 10.0.0.1
+-------NAT--> 10.0.0.101 ----------+
2.1.2.1---+ +----------- 10.0.0.2
Incoming flow1 (from private network, before NAT) has following header:
Src-IP: 2.1.1.1 (private)
Dst IP: 10.0.0.1 (public)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 33F5A570
Incoming flow2 (from private network, before NAT) has following header:
Src-IP: 2.1.2.1 (private)
Dst IP: 10.0.0.2 (public)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 9B417632
Now, the SNAT is performed (I'm currently not sure what is used exactly as src identifier), so both packets go out with (public) IP 10.0.0.101.
However, after NAT, both UDP ports (drc & dst) remain 4500.
As expected. No need to alter source ports in this situation.
The incoming packets from opposite direction (from public nodes towards NAT device) is as follows (as outgoing packets had both UDP ports 4500, so are the packets in opposite direction):
Incoming flow1 (from public network) has following header:
Src-IP: 10.0.0.1 (public)
Dst IP: 10.0.0.101 (public)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 33F5A570
Incoming flow2 (from public network) has following header:
Src-IP: 10.0.0.2 (public)
Dst IP: 10.0.0.101 (public)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 9B417632
The thing is, that the iptables performs (somehow) the DNAT correctly and the tunnels do work (we can ping from side to side).
Of course it does work. Why wouldn't it ?
So internally after NAT, the packets are as follows:
Incoming flow1 (from public network, after NAT) has following header:
Src-IP: 10.0.0.1 (public)
Dst IP: 2.1.1.1 (private)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 33F5A570
Incoming flow2 (from public network, after NAT) has following header:
Src-IP: 10.0.0.2 (public)
Dst IP: 2.1.2.1 (private)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 9B417632
If both UDP ports are 4500, how did iptables distinguish between the packets and knew which private IP to assign to each packet ?
The connection tracking records original and reply source and
destination addresses and ports in order to be able to match packets
with registered flows. See my previous reply to display what is recorded
about each registered flow.
In your example, the destination address of each flow is different. When
a reply packet comes from 10.0.0.1, conntrack knows it must be forwarded
to 2.1.1.1.
When a reply packet comes from 10.0.0.2, conntrack knows it must be
forwarded to 2.1.2.1.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
