All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Øyvind Kaurstad" <oyvind@dynator.no>
To: netfilter@vger.kernel.org
Subject: Full NAT forward and source routing - possible without packet marking?
Date: Fri, 30 Jun 2017 15:55:25 +0200	[thread overview]
Message-ID: <1363a246-966e-59fc-7d5a-efaf12aa6b51@dynator.no> (raw)

Hi,

Here's a quick rundown of the setup in question:

I have a device (kernel 4.1.6) with multiple interfaces, and I want to 
forward outside traffic coming into one interface, and have it exit a 
different interface. The reply (return traffic) should go in the exact 
opposite direction.

To do this, I am using DNAT and SNAT (masquerading), configured with 
nftables (v0.5 for now, will update at some point in the future). 
rp-filtering is turned off for all interfaces.

The device has three interfaces (eth0, eth1 and ppp0). The traffic in 
question first enters ppp0 (from the internet) with the ppp0 address as 
the destination. The source address can be anything, and not known in 
advance.

Then I have a DNAT-rule to translate the destination address to a device 
which is behind eth1 (so packet will just be forwarded). I also have 
masquerading enabled, so the source address is also rewritten when it 
exits eth1.

The reply packet then comes back at eth1, with a destination address 
that is eth1's address, and a source address that belongs to the 
replying device.

Now the packet will need to have both the source and destination 
addresses changed, reversing both SNAT/masquerading and DNAT, and then 
sent back out ppp0.

All the packet addresses are correctly rewritten (as expected) so that 
the final packet has a destination address of the initial internet 
client and a source address of my ppp0 interface, but the problem is 
that the packet exits out eth0 (which is the default route) and is then 
lost.

My first attempt at fixing this was to add a new default route out ppp0 
in a separate table, and then adding a rule to trigger this whenever the 
source address was that of the ppp0 interface (which is indeed the 
source address in the final packet). However, this rule does not 
trigger, because as far as I can tell, the routing decision is made 
before the DNAT is reversed, and at that point the source address of the 
packet is still the address of the replying device. For traffic directed 
at the router itself, this rule works, and ensures that replies go back 
out the ppp0 interface.

Since I don't know anything about the client's address, I can't add any 
explicit routes to it, hence I wanted it to be source routed.

Which brings me to the question in the subject, is it even possible to 
have this work without using the features of marking the connection and 
then mark the return packets and have a routing rule for it? I've tested 
this, and I can get that to work, but if there is a way to have the 
source routing work without doing that, I'd like to know.

If anyone would care to comment on this I'd be grateful, and if 
necessary I can of course give some specific examples of my config and 
sample packet flows.


             reply	other threads:[~2017-06-30 13:55 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-30 13:55 Øyvind Kaurstad [this message]
2017-07-01 10:05 ` Full NAT forward and source routing - possible without packet marking? Pascal Hambourg
2017-07-01 20:26 ` Robert White
2017-07-01 22:17   ` zrm
2017-07-01 23:50     ` Robert White
2017-07-03 18:07       ` Hairpin NAT " zrm
2017-07-04  1:14         ` Robert White
2017-07-04  5:48           ` K
2017-07-04  7:07             ` Neal P. Murphy
2017-07-04 10:21               ` Robert White
2017-07-04 20:53           ` Pascal Hambourg
2017-07-04 21:20             ` Neal P. Murphy
2017-07-05  5:28             ` Robert White
2017-07-08 19:54           ` zrm
2017-07-08 21:55             ` Robert White
2017-07-02  7:29   ` Full NAT forward and source routing " Pascal Hambourg
2017-07-02 10:33     ` Robert White
2017-07-02 11:19       ` Pascal Hambourg
2017-07-02 15:58         ` Øyvind Kaurstad
2017-07-02 17:10           ` Pascal Hambourg
2017-07-02 23:20             ` Øyvind Kaurstad
2017-07-02 21:10           ` Robert White
2017-07-02 23:09             ` Øyvind Kaurstad

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1363a246-966e-59fc-7d5a-efaf12aa6b51@dynator.no \
    --to=oyvind@dynator.no \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.