RE: "distributed router" question

RE: "distributed router" question

[Alec Matusis]

Hi Silvio,

Thanks for your response. 

I still do not understand why SNATting in B to public IP of box A would not
work?
By this I mean the following:

1) Client sends packet to box A ( src: 9.10.11.12 dst: 1.2.3.4 )
2) Box A does DNAT (PREROUTING) to box B ( src: 9.10.11.12 dst: 10.0.0.2 )

Box B receives the packet and replies directly to the client:
1) Box B does SNAT (POSTROUTING) using box A WAN as source (src: 1.2.3.4
dst: 9.10.11.12)

There are two reasons why I'd like to implement it this way:

a) Reduce the load on box A so that the packets from B go directly to the
client 9.10.11.12, bypassing A.
b) The server on box B must log the IPs of all clients (i.e. log the
original client IP  9.10.11.12) 

Thank you,

Alec Matusis


>-----Original Message-----
>From: Silvio Fonseca [mailto:silvio@pizzaroot.com.br] 
>Sent: Saturday, February 24, 2007 8:18 AM
>To: netfilter@lists.netfilter.org
>Cc: Alec Matusis
>Subject: Re: "distributed router" question
>
>Hello Alec,
>
>In this situation you have to SNAT on box A before sending the 
>packet to box 
>B:
>
>1) Client send packet to box A ( src: 9.10.11.12 dst: 1.2.3.4 )
>2) Box A does DNAT (PREROUTING) to box B ( src: 9.10.11.12 
>dst: 10.0.0.2 )
>3) Box A does SNAT (POSTROUTING) using box A LAN as source ( 
>src: 10.0.0.1 
>dst: 10.0.0.2 )
>
>Box B receives the packet and reply:
>
>1) Box B reply to box A ( src: 10.0.0.2 dst: 10.0.01 )
>2) Box A revert the SNAT ( src: 10.0.0.2 dst: 9.10.11.12 )
>3) Box A revert the DNAT ( src: 1.2.3.4 dst: 9.10.11.12 )
>
>Asymmetrical routing, using box A WAN to receive and box B WAN 
>to send, won't 
>work because you will need to SNAT to the public IP address of 
>B before 
>sending to the public network (source will be 5.6.7.8) while 
>the client is 
>expecting A public address (source 1.2.3.4).
>
>Hope that helps.
>
>Silvio Fonseca
>
>> I am wondering if I am doing something legitimate, or it's 
>against TCP/IP
>> (I am a physicist by education, so I do not know):
>>
>> I have box A that has one connection to WAN and one 
>connection to LAN. On
>> box A, eth0 has a public ip 1.2.3.4 and eth1 has a private 
>ip 10.0.0.1
>>
>> I have box B that also has one connection to WAN and another 
>one to the
>> same LAN. On B, eth0 has a public ip 5.6.7.8 and eth1 has a 
>private ip
>> 10.0.0.2
>>
>> I configured iptables in box A to forward packets destined 
>for 1.2.3.4:3000
>> to the destination 10.0.0.2:3000 , i.e. to box B. This part works, I
>> checked with tcpdumps.
>>
>> Now, the box B after receiving a SYN packet via box A on 
>eth1, sends an ACK
>> packet directly through its WAN interface eth0 to the 
>client. If I do not
>> configure POSTROUTING SNAT , those ACK packets appear to 
>originate from
>> 10.0.0.2, so they are rejected by the client.
>> My question is: if I configure SNAT on box B so that ACK 
>packets appear to
>> come from box A (i.e. from 1.2.3.4), would this be a legitimate
>> configuration?
>>
>> In other words, a SYN packet is sent to one machine, 
>forwarded via LAN to
>> another machine, and the ACK packet is sent from the second 
>machine having
>> the source ip of the first machine. For that matter, all 
>incoming packets
>> from the client are received by A, then forwarded to B, and 
>all response
>> packets are sent directly from B to the client. Is this a legitimate
>> configuration?
>

Re: "distributed router" question

[Robert Nichols]

Alec Matusis wrote:
> Hi Silvio,
> 
> Thanks for your response. 
> 
> I still do not understand why SNATting in B to public IP of box A would not
> work?
> By this I mean the following:
> 
> 1) Client sends packet to box A ( src: 9.10.11.12 dst: 1.2.3.4 )
> 2) Box A does DNAT (PREROUTING) to box B ( src: 9.10.11.12 dst: 10.0.0.2 )
> 
> Box B receives the packet and replies directly to the client:
> 1) Box B does SNAT (POSTROUTING) using box A WAN as source (src: 1.2.3.4
> dst: 9.10.11.12)
> 
> There are two reasons why I'd like to implement it this way:
> 
> a) Reduce the load on box A so that the packets from B go directly to the
> client 9.10.11.12, bypassing A.
> b) The server on box B must log the IPs of all clients (i.e. log the
> original client IP  9.10.11.12) 
> 
> Thank you,
> 
> Alec Matusis

You can make that work for UDP, but for TCP box A will see only half-open
connections (it will never see the SYN/ACK) and reject the payload packets
as invalid.

-- 
Bob Nichols         Yes, "NOSPAM" is really part of my email address.

RE: "distributed router" question

[Alec Matusis]

Thanks Robert.

My requirement is to have a transparent proxy in some sense: the TCP packets
should be proxied by box A to a server on box B, and back from B to the
client (via A I guess). The server on box B should see the original IP
address of the client. When I do SNAT on A, the original IP becomes
invisible for box B.

Is there a way to do this without using squid, with iptables only? 

>-----Original Message-----
>From: netfilter-bounces@lists.netfilter.org 
>[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
>Robert Nichols
>Sent: Saturday, February 24, 2007 5:59 PM
>To: netfilter@lists.netfilter.org
>Subject: Re: "distributed router" question
>
>Alec Matusis wrote:
>> Hi Silvio,
>> 
>> Thanks for your response. 
>> 
>> I still do not understand why SNATting in B to public IP of 
>box A would not
>> work?
>> By this I mean the following:
>> 
>> 1) Client sends packet to box A ( src: 9.10.11.12 dst: 1.2.3.4 )
>> 2) Box A does DNAT (PREROUTING) to box B ( src: 9.10.11.12 
>dst: 10.0.0.2 )
>> 
>> Box B receives the packet and replies directly to the client:
>> 1) Box B does SNAT (POSTROUTING) using box A WAN as source 
>(src: 1.2.3.4
>> dst: 9.10.11.12)
>> 
>> There are two reasons why I'd like to implement it this way:
>> 
>> a) Reduce the load on box A so that the packets from B go 
>directly to the
>> client 9.10.11.12, bypassing A.
>> b) The server on box B must log the IPs of all clients (i.e. log the
>> original client IP  9.10.11.12) 
>> 
>> Thank you,
>> 
>> Alec Matusis
>
>You can make that work for UDP, but for TCP box A will see 
>only half-open
>connections (it will never see the SYN/ACK) and reject the 
>payload packets
>as invalid.
>
>-- 
>Bob Nichols         Yes, "NOSPAM" is really part of my email address.
>
>

Re: "distributed router" question

[Robert Nichols]

Alec Matusis wrote:
> Thanks Robert.
> 
> My requirement is to have a transparent proxy in some sense: the TCP packets
> should be proxied by box A to a server on box B, and back from B to the
> client (via A I guess). The server on box B should see the original IP
> address of the client. When I do SNAT on A, the original IP becomes
> invisible for box B.

You just need to ensure that packets from B to the client get routed via
box A.  That is a routing issue, not a netfilter problem.  Depending on
what other traffic is going to/from box B, the solution could be as simple
as making box A the gateway for the default route out of box B.  If B
is handling other traffic that does not go through A, then you'll
probably need to use the advanced routing features of iproute2 to
selectively route the packets.  There's a rather extensive "Linux Advanced
Routing & Traffic Control HOWTO" available from http://lartc.org .

-- 
Bob Nichols         Yes, "NOSPAM" is really part of my email address.

Re: "distributed router" question

[Silvio Fonseca]

Hello Alec,

In this situation you have to SNAT on box A before sending the packet to box 
B:

1) Client send packet to box A ( src: 9.10.11.12 dst: 1.2.3.4 )
2) Box A does DNAT (PREROUTING) to box B ( src: 9.10.11.12 dst: 10.0.0.2 )
3) Box A does SNAT (POSTROUTING) using box A LAN as source ( src: 10.0.0.1 
dst: 10.0.0.2 )

Box B receives the packet and reply:

1) Box B reply to box A ( src: 10.0.0.2 dst: 10.0.01 )
2) Box A revert the SNAT ( src: 10.0.0.2 dst: 9.10.11.12 )
3) Box A revert the DNAT ( src: 1.2.3.4 dst: 9.10.11.12 )

Asymmetrical routing, using box A WAN to receive packets and box B WAN to 
reply, won't work because you will need to SNAT to the public IP address of B 
before sending to the public network (source will be 5.6.7.8) while the 
client is expecting A public address (source 1.2.3.4).

Hope that helps.

Silvio Fonseca

> I am wondering if I am doing something legitimate, or it's against TCP/IP
> (I am a physicist by education, so I do not know):
>
> I have box A that has one connection to WAN and one connection to LAN. On
> box A, eth0 has a public ip 1.2.3.4 and eth1 has a private ip 10.0.0.1
>
> I have box B that also has one connection to WAN and another one to the
> same LAN. On B, eth0 has a public ip 5.6.7.8 and eth1 has a private ip
> 10.0.0.2
>
> I configured iptables in box A to forward packets destined for 1.2.3.4:3000
> to the destination 10.0.0.2:3000 , i.e. to box B. This part works, I
> checked with tcpdumps.
>
> Now, the box B after receiving a SYN packet via box A on eth1, sends an ACK
> packet directly through its WAN interface eth0 to the client. If I do not
> configure POSTROUTING SNAT , those ACK packets appear to originate from
> 10.0.0.2, so they are rejected by the client.
> My question is: if I configure SNAT on box B so that ACK packets appear to
> come from box A (i.e. from 1.2.3.4), would this be a legitimate
> configuration?
>
> In other words, a SYN packet is sent to one machine, forwarded via LAN to
> another machine, and the ACK packet is sent from the second machine having
> the source ip of the first machine. For that matter, all incoming packets
> from the client are received by A, then forwarded to B, and all response
> packets are sent directly from B to the client. Is this a legitimate
> configuration?

"distributed router" question

[Alec Matusis]

I am wondering if I am doing something legitimate, or it's against TCP/IP (I
am a physicist by education, so I do not know):

I have box A that has one connection to WAN and one connection to LAN. On
box A, eth0 has a public ip 1.2.3.4 and eth1 has a private ip 10.0.0.1

I have box B that also has one connection to WAN and another one to the same
LAN. On B, eth0 has a public ip 5.6.7.8 and eth1 has a private ip 10.0.0.2

I configured iptables in box A to forward packets destined for 1.2.3.4:3000
to the destination 10.0.0.2:3000 , i.e. to box B. This part works, I checked
with tcpdumps.

Now, the box B after receiving a SYN packet via box A on eth1, sends an ACK
packet directly through its WAN interface eth0 to the client. If I do not
configure POSTROUTING SNAT , those ACK packets appear to originate from
10.0.0.2, so they are rejected by the client. 
My question is: if I configure SNAT on box B so that ACK packets appear to
come from box A (i.e. from 1.2.3.4), would this be a legitimate
configuration?

In other words, a SYN packet is sent to one machine, forwarded via LAN to
another machine, and the ACK packet is sent from the second machine having
the source ip of the first machine. For that matter, all incoming packets
from the client are received by A, then forwarded to B, and all response
packets are sent directly from B to the client. Is this a legitimate
configuration?