* spooky RST with DNAT rules; macvlan + namespace
@ 2015-04-10 19:56 Chris Burroughs
0 siblings, 0 replies; only message in thread
From: Chris Burroughs @ 2015-04-10 19:56 UTC (permalink / raw)
To: netfilter
I have an existing application that relies on some custom iptables logic
to function inside our network. It uses several simple rules along the
lines of:
iptables -t nat -A OUTPUT -j DNAT -p tcp --dst x.x.x.x --dport 7000 -o
eth0 --to-destination y.y.y.y
There are several nodes and there is a DNAT rule for each node. I've
successfully been using rules like this on physical nodes for a few
years without difficulty.
I'm trying to replace these nodes with 'containers' on centos6.
Specifically by 'containers' I mean lxc with:
* privileged containers
* macvlan in bridge mode
* network namespace
And running into trouble with the same iptables rules. Specifically
what happens between container A (initiates connection) on host X and
container B (listening daemon) on host Y.
* A: syn
* B: syn+ack
* A: rst
I've detected the RST with tcpdump from both within the container and on
the host. Visually in wireshark it looks like:
http://i.imgur.com/lo1PF6k.png Basic DROP rules like 'block inbound on
this port' appear to work fine.
To add to the confusion, if A & B are co-located on the same physical
host it appears to work okay.
I'm at at loss to explain where the RST is coming from or how to make
the DNAT rule work correctly.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-04-10 19:56 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-04-10 19:56 spooky RST with DNAT rules; macvlan + namespace Chris Burroughs
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.