* Howto DNAT/SNAT existing TCP session (no SYN, only PUSH/ACK)
@ 2010-08-11 14:01 Norbert van Bolhuis
2010-08-11 14:51 ` Jan Engelhardt
0 siblings, 1 reply; 2+ messages in thread
From: Norbert van Bolhuis @ 2010-08-11 14:01 UTC (permalink / raw)
To: netfilter
We have a system that looks internally like this:
eLAN
|
|
--------------
| ETH-switch |
--------------
|p1 |p2
| |
-------- --------
|HOST_1|------|HOST_2|
-------- iLAN --------
]
........
. APPs .
........
It is a simplified view, but in essence it offers a sort of traffic protection
and as a consequence it means our APPs should be accessible through the one external
IP LAN address (eLAN-IP-addr) no matter which switch port is active (p1 or p2).
A HOST has a full TCP/IP stack. The ETH-switch takes care
of the protection switch, the HOST_x<-->ETH-switch eth interface always
has the same MAC and IP address (eLAN-IP-addr).
Our APPs communicate through HOST_1.
On HOST_2 the below rule takes care of this:
iptables -t nat -A PREROUTING -d <eLAN-IP-addr> ! -i iLAN -j DNAT --to-destination <iLAN-HOST_1-IP-addr>
Here's my 1st problem/question.
Let's say HOST_2 is active and an ESTABLISHED TCP communication is present between
a system on the eLAN and an APP (of course for HOST_1 the TCP connection will be
administrated as iLAN-HOST_1-IP-addr/port<-->eLAN-system-IP-addr/port)
If the ETH-switch rapidly makes p1/HOST_1 active, is it possible to make sure outgoing
TCP data (that is sent by the APP/HOST_1) is somehow source NAT'ed ?
I ask this because currently the outgoing data (to the system on the eLAN carries
src-ip=iLAN-HOST_1-IP-addr while I want it to be eLAN-IP-addr.
Vice versa (p2/HOST_2 becomes active) the same problem applies.
So I tried the below rule on HOST_1:
iptables -t nat -A PREROUTING -d <eLAN-IP-addr> ! -i iLAN -m state --state INVALID,NEW,RELATED,ESTABLISHED -j DNAT --to-destination <iLAN-HOST_1-IP-addr>
This rule makes sure all traffic to the APPs have the internal LAN address of HOST_1 (iLAN-HOST_1-IP-addr).
So I tested with APP=telnetd. HOST_2 is active and the NAT rule on HOST_2 takes
care of NATting to HOST_1 with dst-addr=iLAN-HOST_1-IP-addr.
On HOST_1 the below telnet connection exists:
tcp 0 0 iLAN-HOST_1-IP-addr:23 eLAN-system-IP-addr:58119 ESTABLISHED
On a switch to p1/HOST_1 I would expect no impact for the telnet connection (as long as I do
not actively use it).
However after the switch has been completed, the TCP of HOST_1 sends a RST
This I do not understand, especially because the last mentioned NAT rule said it
did the translation:
iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 26 packets, 3052 bytes)
pkts bytes target prot opt in out source destination
1 54 DNAT all -- !iLAN any anywhere eLAN-IP-addr state INVALID,NEW,RELATED,ESTABLISHED to:iLAN-HOST_1-IP-addr
1 packet, 54 bytes corresponds with the <ENTER> I typed on the telnet client
on the eLAN system.
Anybody know why (TCP of) HOST_1 sends a ReSeT in this case ?
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Howto DNAT/SNAT existing TCP session (no SYN, only PUSH/ACK)
2010-08-11 14:01 Howto DNAT/SNAT existing TCP session (no SYN, only PUSH/ACK) Norbert van Bolhuis
@ 2010-08-11 14:51 ` Jan Engelhardt
0 siblings, 0 replies; 2+ messages in thread
From: Jan Engelhardt @ 2010-08-11 14:51 UTC (permalink / raw)
To: Norbert van Bolhuis; +Cc: netfilter
On Wednesday 2010-08-11 16:01, Norbert van Bolhuis wrote:
>
> We have a system that looks internally like this:
>
> eLAN
> |
> |
> --------------
> | ETH-switch |
> --------------
> |p1 |p2
> | |
> -------- --------
> |HOST_1|------|HOST_2|
> -------- iLAN --------
> ]
> ........
> . APPs .
> ........
>
>On HOST_2 the below rule takes care of this:
>iptables -t nat -A PREROUTING -d <eLAN-IP-addr> ! -i iLAN -j DNAT
>--to-destination <iLAN-HOST_1-IP-addr>
>
>Let's say HOST_2 is active and an ESTABLISHED TCP communication is present
>between a system on the eLAN and an APP.
k,
>(of course for HOST_1 the TCP connection will be administrated as
>iLAN-HOST_1-IP-addr/port<-->eLAN-system-IP-addr/port)
What? "pcap language please."
>If the ETH-switch
>rapidly makes p1/HOST_1 active, is it possible to make sure outgoing TCP data
>(that is sent by the APP/HOST_1) is somehow source NAT'ed ?
You have ipt_SNAT at your disposal.
>I ask this because currently the outgoing data (to the system on the eLAN
>carries src-ip=iLAN-HOST_1-IP-addr while I want it to be eLAN-IP-addr.
>
>Anybody know why (TCP of) HOST_1 sends a ReSeT in this case ?
You probably evoked a problem simliar to
http://jengelh.medozas.de/images/dnat-mistake.png
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-08-11 14:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-08-11 14:01 Howto DNAT/SNAT existing TCP session (no SYN, only PUSH/ACK) Norbert van Bolhuis
2010-08-11 14:51 ` Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.