advanced routing with NAT: returning UDP traffic

advanced routing with NAT: returning UDP traffic

[Maarten]

Hi,

until now, i've done multiple ISPs with nexthop default route, 2 extra tables, 
ip rule and TCP connmark.

but, how does this involve UDP traffic...

if for example i have in my NAT LAN an NTP server, how would i get the udp 
packet out the same interface where it was originally coming in from?

please advise...

Maarten
-- 
BA NV
IT & Security

Re: advanced routing with NAT: returning UDP traffic

[Eliezer Croitoru]

Hey Maarten,

As long as I remember conntrack and conntrack are working together.
Which means that udp traffic will be distinguished the same way as TCP 
as long the connection tracking categorized it under the same connection 
stream.
(I think for unestablished connection 30 secs and more for an 
"established" one)

Eliezer

On 09/23/2014 03:46 PM, Maarten wrote:
> Hi,
>
> until now, i've done multiple ISPs with nexthop default route, 2 extra tables,
> ip rule and TCP connmark.
>
> but, how does this involve UDP traffic...
>
> if for example i have in my NAT LAN an NTP server, how would i get the udp
> packet out the same interface where it was originally coming in from?
>
> please advise...
>
> Maarten

Re: advanced routing with NAT: returning UDP traffic

[Maarten Vanraes]

conntrack and conntrack ? i'm assuming this is a typo?

so, even some kind of odd udp reply will still be the same connection if it's 
within 30seconds?

so, i can use connmark on not just TCP, but on all protocols?

Regards,

Maarten

Op dinsdag 23 september 2014 20:41:08 schreef Eliezer Croitoru:
> Hey Maarten,
> 
> As long as I remember conntrack and conntrack are working together.
> Which means that udp traffic will be distinguished the same way as TCP
> as long the connection tracking categorized it under the same connection
> stream.
> (I think for unestablished connection 30 secs and more for an
> "established" one)
> 
> Eliezer
> 
> On 09/23/2014 03:46 PM, Maarten wrote:
> > Hi,
> > 
> > until now, i've done multiple ISPs with nexthop default route, 2 extra
> > tables, ip rule and TCP connmark.
> > 
> > but, how does this involve UDP traffic...
> > 
> > if for example i have in my NAT LAN an NTP server, how would i get the udp
> > packet out the same interface where it was originally coming in from?
> > 
> > please advise...
> > 
> > Maarten
-- 
BA NV
IT & Security

Re: advanced routing with NAT: returning UDP traffic

[Pascal Hambourg]

Maarten Vanraes a écrit :
> 
> so, even some kind of odd udp reply will still be the same connection if it's 
> within 30seconds?

Not odd. The reply packet has to match the addresses and ports in the
original packet (with source and destination swapped).

> so, i can use connmark on not just TCP, but on all protocols?

Not all protocols, but any protocol implementation which behaves in the
way expected by conntrack.

Re: advanced routing with NAT: returning UDP traffic

[Maarten Vanraes]

Op woensdag 24 september 2014 11:49:02 schreef Pascal Hambourg:
> Maarten Vanraes a écrit :
> > so, even some kind of odd udp reply will still be the same connection if
> > it's within 30seconds?
> 
> Not odd. The reply packet has to match the addresses and ports in the
> original packet (with source and destination swapped).
> 
> > so, i can use connmark on not just TCP, but on all protocols?
> 
> Not all protocols, but any protocol implementation which behaves in the
> way expected by conntrack.

ok, thanks,

so, this is why streaming/voip stuff will still have issues...
-- 
BA NV
IT & Security

Re: advanced routing with NAT: returning UDP traffic

[Eliezer Croitoru]

On 09/24/2014 01:16 PM, Maarten Vanraes wrote:
> ok, thanks,
>
> so, this is why streaming/voip stuff will still have issues...
Yes indeed.
and I Meant conntrack and connmark...
VOIP and STREAMING are beasts!!!
There are modules which analyze them and also recognize them but you 
will need to enable them first.

The issue is not UDP by itself as you understand.
It's a well known issue with multi IP nat machines in ISPS.
In many cases a SIP proxy helps to fix couple things.
I haven't tried it yet but it seems like there are commercial products 
that implement these SIP proxy.

Eliezer

Re: advanced routing with NAT: returning UDP traffic

[Maarten Vanraes]

Op woensdag 24 september 2014 15:38:26 schreef Eliezer Croitoru:
> On 09/24/2014 01:16 PM, Maarten Vanraes wrote:
> > ok, thanks,
> > 
> > so, this is why streaming/voip stuff will still have issues...
> 
> Yes indeed.
> and I Meant conntrack and connmark...
> VOIP and STREAMING are beasts!!!
> There are modules which analyze them and also recognize them but you
> will need to enable them first.
> 
> The issue is not UDP by itself as you understand.
> It's a well known issue with multi IP nat machines in ISPS.
> In many cases a SIP proxy helps to fix couple things.
> I haven't tried it yet but it seems like there are commercial products
> that implement these SIP proxy.

i've used siproxd before... but it's limited, i could set up an asterisk in 
between, but that might be overkill and i'm not sure i could intercept it 
without configuring stuff on the other side...

what kind of modules do you know that help conntracking this kind of stuff?

and... what about ipv6 and multiple ISPs? (but without natting, but still no 
bgp or something), won't i still have the same problem?

Regards,

Maarten
-- 
BA NV
IT & Security

Re: advanced routing with NAT: returning UDP traffic

[Pascal Hambourg]

Maarten Vanraes a écrit :
> Op woensdag 24 september 2014 15:38:26 schreef Eliezer Croitoru:
>> VOIP and STREAMING are beasts!!!
>> There are modules which analyze them and also recognize them but you
>> will need to enable them first.
> 
> what kind of modules do you know that help conntracking this kind of stuff?

For SIP : nf_conntrack_sip. There is a nf_conntrack_<protocol> helper
for each supported "complex" protocol (FTP, IRC, PPTP...). Their purpose
is to set the state of the first packet of the data connection to
RELATED, and copy the connmark of the control connection to the data
connection. On a box doing NAT, you also need the related
nf_nat_<protocol> module.

> and... what about ipv6 and multiple ISPs? (but without natting, but still no 
> bgp or something), won't i still have the same problem?

Yes.

Re: advanced routing with NAT: returning UDP traffic

[Maarten Vanraes]

Op vrijdag 26 september 2014 15:18:42 schreef Pascal Hambourg:
> Maarten Vanraes a écrit :
> > Op woensdag 24 september 2014 15:38:26 schreef Eliezer Croitoru:
> >> VOIP and STREAMING are beasts!!!
> >> There are modules which analyze them and also recognize them but you
> >> will need to enable them first.
> > 
> > what kind of modules do you know that help conntracking this kind of
> > stuff?
> 
> For SIP : nf_conntrack_sip. There is a nf_conntrack_<protocol> helper
> for each supported "complex" protocol (FTP, IRC, PPTP...). Their purpose
> is to set the state of the first packet of the data connection to
> RELATED, and copy the connmark of the control connection to the data
> connection. On a box doing NAT, you also need the related
> nf_nat_<protocol> module.
> 
> > and... what about ipv6 and multiple ISPs? (but without natting, but still
> > no bgp or something), won't i still have the same problem?
> 
> Yes.


awesome, this makes it totally clear... thx!
-- 
BA NV
IT & Security