* iptables NATed or not NATed
@ 2010-03-11 7:04 Patrick Chemla
2010-03-11 8:21 ` Marek Kierdelewicz
2010-03-11 20:39 ` Pascal Hambourg
0 siblings, 2 replies; 5+ messages in thread
From: Patrick Chemla @ 2010-03-11 7:04 UTC (permalink / raw)
To: netfilter
Hi,
I am using iptables NAt to route outgoing packets from my LAN (eth0) to
specific public IPs on 2 ISPs links (eth1 and eth2), according to the
internal IP of a local server.
Here is how I NAT the addresses:
/sbin/iptables -t nat -A PREROUTING -p tcp -i $interface -s
$public_ip/32 -j DNAT --to-destination $server_ip
/sbin/iptables -t nat -A POSTROUTING -s $server_ip/32 -j SNAT -o
$interface --to-source $public_ip
Here is how I route the packets to the right outgoing interface:
I have 2 routing tables declared. Default route is on eth2.
/sbin/ip rule add from $server_ip table $route_table
It works, but with tcpdump I have recorded packets on outgoing
interfaces where addresses are NOT NATed, means, packets issued from
internal servers on eth0, are routed to default route eth2 with there
internal address 10.0.0.xx.
It is very strange because it is a small percentage of packets, not all
the packets from a specific server, directed to the same port than
others who are routed and NATed the right way, at the same time.
Again: a small percentage of packets issued by the same server, to the
same destination port, maybe not the same public server are routed
without NATing, while most of the packets from the same computer are
well routed and NATed.
Of course, the dialog fails because there is no back route to address
10.0.0.xx
Does someone have any idea?
Thanks for help
Patrick
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: iptables NATed or not NATed
2010-03-11 7:04 iptables NATed or not NATed Patrick Chemla
@ 2010-03-11 8:21 ` Marek Kierdelewicz
2010-03-11 20:39 ` Pascal Hambourg
1 sibling, 0 replies; 5+ messages in thread
From: Marek Kierdelewicz @ 2010-03-11 8:21 UTC (permalink / raw)
To: Patrick Chemla; +Cc: netfilter
>Hi,
Hi,
>It is very strange because it is a small percentage of packets, not
>all the packets from a specific server, directed to the same port
>than others who are routed and NATed the right way, at the same time.
>Again: a small percentage of packets issued by the same server, to the
>same destination port, maybe not the same public server are routed
>without NATing, while most of the packets from the same computer are
>well routed and NATed.
Try using "ip ro sh cache" to see what's in there. If you see "stale"
cache entries "ip ro flush cache" should fix the problem.
Best regards,
Marek
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: iptables NATed or not NATed
2010-03-11 7:04 iptables NATed or not NATed Patrick Chemla
2010-03-11 8:21 ` Marek Kierdelewicz
@ 2010-03-11 20:39 ` Pascal Hambourg
2010-03-12 9:19 ` ratheesh k
1 sibling, 1 reply; 5+ messages in thread
From: Pascal Hambourg @ 2010-03-11 20:39 UTC (permalink / raw)
To: netfilter
Patrick Chemla a écrit :
>
> It works, but with tcpdump I have recorded packets on outgoing
> interfaces where addresses are NOT NATed, means, packets issued from
> internal servers on eth0, are routed to default route eth2 with there
> internal address 10.0.0.xx.
>
> It is very strange because it is a small percentage of packets, not all
> the packets from a specific server, directed to the same port than
> others who are routed and NATed the right way, at the same time.
Check the state of those packets. Usually, packets which skip NAT are
those classified in the INVALID state by the connection tracking.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: iptables NATed or not NATed
2010-03-11 20:39 ` Pascal Hambourg
@ 2010-03-12 9:19 ` ratheesh k
2010-03-12 20:24 ` Pascal Hambourg
0 siblings, 1 reply; 5+ messages in thread
From: ratheesh k @ 2010-03-12 9:19 UTC (permalink / raw)
To: netfilter
Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
> Check the state of those packets. Usually, packets which skip NAT are
> those classified in the INVALID state by the connection tracking.
A new packet ( not -syn packet ) would be treated as INVALID ? . We
can see this packet in NAT table ?
Thanks,
Ratheesh
On Fri, Mar 12, 2010 at 2:09 AM, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> Patrick Chemla a écrit :
>>
>> It works, but with tcpdump I have recorded packets on outgoing
>> interfaces where addresses are NOT NATed, means, packets issued from
>> internal servers on eth0, are routed to default route eth2 with there
>> internal address 10.0.0.xx.
>>
>> It is very strange because it is a small percentage of packets, not all
>> the packets from a specific server, directed to the same port than
>> others who are routed and NATed the right way, at the same time.
>
> Check the state of those packets. Usually, packets which skip NAT are
> those classified in the INVALID state by the connection tracking.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: iptables NATed or not NATed
2010-03-12 9:19 ` ratheesh k
@ 2010-03-12 20:24 ` Pascal Hambourg
0 siblings, 0 replies; 5+ messages in thread
From: Pascal Hambourg @ 2010-03-12 20:24 UTC (permalink / raw)
To: netfilter
ratheesh k a écrit :
>
> A new packet ( not -syn packet ) would be treated as INVALID ?
Yes.
> We can see this packet in NAT table ?
No, the nat table does not see INVALID packets because stateful NAT
operation relies on valid connection tracking.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-03-12 20:24 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-11 7:04 iptables NATed or not NATed Patrick Chemla
2010-03-11 8:21 ` Marek Kierdelewicz
2010-03-11 20:39 ` Pascal Hambourg
2010-03-12 9:19 ` ratheesh k
2010-03-12 20:24 ` Pascal Hambourg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.