Does Redirect/NAT change the destination port of reverse tuple ?

All of lore.kernel.org
 help / color / mirror / Atom feed

* Does Redirect/NAT change the destination port of reverse tuple ?
@ 2008-02-29 10:49 Nishit Shah
  2008-02-29 11:29 ` Jan Engelhardt
  2008-02-29 11:52 ` Pascal Hambourg
  0 siblings, 2 replies; 8+ messages in thread
From: Nishit Shah @ 2008-02-29 10:49 UTC (permalink / raw)
  To: netfilter-devel

Hi,
	I have following iptable rule in system.

	iptables -I PREROUTING -t nat -p tcp --dport 443 -j REDIRECT
--to-ports 3128
	kernel - 2.6.16.13

	I am using following scenario for load testing

	192.168.206.200 -----> 192.168.121.125 	-----> 	72.14.223.83
	Client			iptables/proxy server		server

	and I am getting following entry through conntrack binay as well as
in /proc/net/ip_conntrack

	[NEW] tcp 6 120 NONE src=192.168.206.200 dst=72.14.223.83
sport=63423 dport=443 packets=1 bytes=48 [UNREPLIED] src=192.168.121.125
dst=192.168.206.200 sport=3128 dport=46873 packets=0 bytes=0 id=28187887

Now here original and reverse tuples are --> 
	Original tuple 192.168.206.200:63423->72.14.223.83:443
	Reply tuple    192.168.121.125:3128->192.168.206.200:46873

So, here destination port of reverse tuple is 46873. Is it correct ?

Rgds,
Nishit Shah


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Does Redirect/NAT change the destination port of reverse tuple ?
  2008-02-29 10:49 Does Redirect/NAT change the destination port of reverse tuple ? Nishit Shah
@ 2008-02-29 11:29 ` Jan Engelhardt
  2008-02-29 12:00   ` Nishit Shah
  2008-02-29 11:52 ` Pascal Hambourg
  1 sibling, 1 reply; 8+ messages in thread
From: Jan Engelhardt @ 2008-02-29 11:29 UTC (permalink / raw)
  To: Nishit Shah; +Cc: netfilter-devel


On Feb 29 2008 16:19, Nishit Shah wrote:
>
>Hi,
>	I have following iptable rule in system.
>
>	iptables -I PREROUTING -t nat -p tcp --dport 443 -j REDIRECT
>--to-ports 3128
>	kernel - 2.6.16.13
>
>	I am using following scenario for load testing
>
>	192.168.206.200 -----> 192.168.121.125 	-----> 	72.14.223.83
>	Client			iptables/proxy server		server
>
>	and I am getting following entry through conntrack binay as well as
>in /proc/net/ip_conntrack
>
>	[NEW] tcp 6 120 NONE src=192.168.206.200 dst=72.14.223.83
>sport=63423 dport=443 packets=1 bytes=48 [UNREPLIED] src=192.168.121.125
>dst=192.168.206.200 sport=3128 dport=46873 packets=0 bytes=0 id=28187887
>
>Now here original and reverse tuples are --> 
>	Original tuple 192.168.206.200:63423->72.14.223.83:443
>	Reply tuple    192.168.121.125:3128->192.168.206.200:46873
>
>So, here destination port of reverse tuple is 46873. Is it correct ?

You could compare with the output of tcpdump to capture the
actual on-wire situation especially regarding port 46873.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: Does Redirect/NAT change the destination port of reverse tuple ?
  2008-02-29 11:29 ` Jan Engelhardt
@ 2008-02-29 12:00   ` Nishit Shah
  2008-02-29 12:04     ` Jan Engelhardt
  0 siblings, 1 reply; 8+ messages in thread
From: Nishit Shah @ 2008-02-29 12:00 UTC (permalink / raw)
  To: 'Jan Engelhardt'; +Cc: netfilter-devel



-----Original Message-----
From: netfilter-devel-owner@vger.kernel.org
[mailto:netfilter-devel-owner@vger.kernel.org] On Behalf Of Jan Engelhardt
Sent: Friday, February 29, 2008 4:59 PM
To: Nishit Shah
Cc: netfilter-devel@vger.kernel.org
Subject: Re: Does Redirect/NAT change the destination port of reverse tuple
?


On Feb 29 2008 16:19, Nishit Shah wrote:
>
>Hi,
>	I have following iptable rule in system.
>
>	iptables -I PREROUTING -t nat -p tcp --dport 443 -j REDIRECT
>--to-ports 3128
>	kernel - 2.6.16.13
>
>	I am using following scenario for load testing
>
>	192.168.206.200 -----> 192.168.121.125 	-----> 	72.14.223.83
>	Client			iptables/proxy server		server
>
>	and I am getting following entry through conntrack binay as well as
>in /proc/net/ip_conntrack
>
>	[NEW] tcp 6 120 NONE src=192.168.206.200 dst=72.14.223.83
>sport=63423 dport=443 packets=1 bytes=48 [UNREPLIED] src=192.168.121.125
>dst=192.168.206.200 sport=3128 dport=46873 packets=0 bytes=0 id=28187887
>
>Now here original and reverse tuples are --> 
>	Original tuple 192.168.206.200:63423->72.14.223.83:443
>	Reply tuple    192.168.121.125:3128->192.168.206.200:46873
>
>So, here destination port of reverse tuple is 46873. Is it correct ?

You could compare with the output of tcpdump to capture the
actual on-wire situation especially regarding port 46873.

In tcpdump output I am seeing packets only with port 63423. No packets with
port 46873. Something like

 192.168.206.200:63423->72.14.223.83:443 Syn
 72.14.223.83:443->192.168.206.200:63423 Syn Ack
 192.168.206.200:63423->72.14.223.83:443 Ack

Also, this happens with heavy load only. In normal conditions destination
port of reverse tuple doesn't change.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: Does Redirect/NAT change the destination port of reverse tuple ?
  2008-02-29 12:00   ` Nishit Shah
@ 2008-02-29 12:04     ` Jan Engelhardt
  2008-02-29 12:13       ` Nishit Shah
  0 siblings, 1 reply; 8+ messages in thread
From: Jan Engelhardt @ 2008-02-29 12:04 UTC (permalink / raw)
  To: Nishit Shah; +Cc: netfilter-devel


On Feb 29 2008 17:30, Nishit Shah wrote:
>>>Now here original and reverse tuples are --> 
>>>	Original tuple 192.168.206.200:63423->72.14.223.83:443
>>>	Reply tuple    192.168.121.125:3128->192.168.206.200:46873
>>>
>>>So, here destination port of reverse tuple is 46873. Is it correct ?
>>
>>You could compare with the output of tcpdump to capture the
>>actual on-wire situation especially regarding port 46873.
>
>In tcpdump output I am seeing packets only with port 63423. No packets with
>port 46873. Something like
>
> 192.168.206.200:63423->72.14.223.83:443 Syn
> 72.14.223.83:443->192.168.206.200:63423 Syn Ack
> 192.168.206.200:63423->72.14.223.83:443 Ack
>
>Also, this happens with heavy load only. In normal conditions destination
>port of reverse tuple doesn't change.

Then, also check the output of `lsof -Pn` and see if it has
46873.

squid     5770 squid     20u     IPv4      30336                 TCP
192.168.206.200:46873->a.b.c.d:3128 (ESTABLISHED)

^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: Does Redirect/NAT change the destination port of reverse tuple ?
  2008-02-29 12:04     ` Jan Engelhardt
@ 2008-02-29 12:13       ` Nishit Shah
  0 siblings, 0 replies; 8+ messages in thread
From: Nishit Shah @ 2008-02-29 12:13 UTC (permalink / raw)
  To: 'Jan Engelhardt'; +Cc: netfilter-devel



-----Original Message-----
From: Jan Engelhardt [mailto:jengelh@computergmbh.de] 
Sent: Friday, February 29, 2008 5:34 PM
To: Nishit Shah
Cc: netfilter-devel@vger.kernel.org
Subject: RE: Does Redirect/NAT change the destination port of reverse tuple
?


On Feb 29 2008 17:30, Nishit Shah wrote:
>>>Now here original and reverse tuples are --> 
>>>	Original tuple 192.168.206.200:63423->72.14.223.83:443
>>>	Reply tuple    192.168.121.125:3128->192.168.206.200:46873
>>>
>>>So, here destination port of reverse tuple is 46873. Is it correct ?
>>
>>You could compare with the output of tcpdump to capture the
>>actual on-wire situation especially regarding port 46873.
>
>In tcpdump output I am seeing packets only with port 63423. No packets with
>port 46873. Something like
>
> 192.168.206.200:63423->72.14.223.83:443 Syn
> 72.14.223.83:443->192.168.206.200:63423 Syn Ack
> 192.168.206.200:63423->72.14.223.83:443 Ack
>
>Also, this happens with heavy load only. In normal conditions destination
>port of reverse tuple doesn't change.

Then, also check the output of `lsof -Pn` and see if it has
46873.

squid     5770 squid     20u     IPv4      30336                 TCP
192.168.206.200:46873->a.b.c.d:3128 (ESTABLISHED)

Yes, It is like you have mentioned. Even In squid I am getting source port
as 46873.
I am putting my load pattern here may be that can help

Client IP - 192.168.206.200 and I am sending random https requests with
incrementing source port every time starting from 1025 to 65535....
 


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Does Redirect/NAT change the destination port of reverse tuple ?
  2008-02-29 10:49 Does Redirect/NAT change the destination port of reverse tuple ? Nishit Shah
  2008-02-29 11:29 ` Jan Engelhardt
@ 2008-02-29 11:52 ` Pascal Hambourg
  2008-02-29 12:34   ` Nishit Shah
  1 sibling, 1 reply; 8+ messages in thread
From: Pascal Hambourg @ 2008-02-29 11:52 UTC (permalink / raw)
  To: netfilter-devel

Hello,

Nishit Shah a écrit :
> 	I have following iptable rule in system.
> 
> 	iptables -I PREROUTING -t nat -p tcp --dport 443 -j REDIRECT
> --to-ports 3128
> 	kernel - 2.6.16.13
> 
> 	I am using following scenario for load testing
> 
> 	192.168.206.200 -----> 192.168.121.125 	-----> 	72.14.223.83
> 	Client			iptables/proxy server		server
> 
> 	and I am getting following entry through conntrack binay as well as
> in /proc/net/ip_conntrack
> 
> 	[NEW] tcp 6 120 NONE src=192.168.206.200 dst=72.14.223.83
> sport=63423 dport=443 packets=1 bytes=48 [UNREPLIED] src=192.168.121.125
> dst=192.168.206.200 sport=3128 dport=46873 packets=0 bytes=0 id=28187887
> 
> Now here original and reverse tuples are --> 
> 	Original tuple 192.168.206.200:63423->72.14.223.83:443
> 	Reply tuple    192.168.121.125:3128->192.168.206.200:46873
> 
> So, here destination port of reverse tuple is 46873. Is it correct ?

Yes. NAT may implicitly change the original source port in order to 
avoid a clash with an existing connection. However the original port 
will be restored in reply packets before they leave the box, so the 
client won't see anything. Remember that the tuples in ip_conntrack 
contain the addresses and ports when packets enter the PREROUTING or 
OUTPUT chains, not when they leave the POSTROUTING or INPUT chains.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: Does Redirect/NAT change the destination port of reverse tuple ?
  2008-02-29 11:52 ` Pascal Hambourg
@ 2008-02-29 12:34   ` Nishit Shah
  2008-03-01 12:22     ` Pascal Hambourg
  0 siblings, 1 reply; 8+ messages in thread
From: Nishit Shah @ 2008-02-29 12:34 UTC (permalink / raw)
  To: 'Pascal Hambourg', netfilter-devel



-----Original Message-----
From: netfilter-devel-owner@vger.kernel.org
[mailto:netfilter-devel-owner@vger.kernel.org] On Behalf Of Pascal Hambourg
Sent: Friday, February 29, 2008 5:22 PM
To: netfilter-devel@vger.kernel.org
Subject: Re: Does Redirect/NAT change the destination port of reverse tuple
?

> 	[NEW] tcp 6 120 NONE src=192.168.206.200 dst=72.14.223.83
> sport=63423 dport=443 packets=1 bytes=48 [UNREPLIED] src=192.168.121.125
> dst=192.168.206.200 sport=3128 dport=46873 packets=0 bytes=0 id=28187887
> 
> Now here original and reverse tuples are --> 
> 	Original tuple 192.168.206.200:63423->72.14.223.83:443
> 	Reply tuple    192.168.121.125:3128->192.168.206.200:46873
> 
> So, here destination port of reverse tuple is 46873. Is it correct ?

Yes. NAT may implicitly change the original source port in order to 
avoid a clash with an existing connection. However the original port 
will be restored in reply packets before they leave the box, so the 
client won't see anything. Remember that the tuples in ip_conntrack 
contain the addresses and ports when packets enter the PREROUTING or 
OUTPUT chains, not when they leave the POSTROUTING or INPUT chains.

Hmm... So if I need original source IP and port in proxy (like
SO_ORIGINAL_DST, something SO_ORIGINAL_SRC) I should trust conntrack not the
socket info, correct ?



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Does Redirect/NAT change the destination port of reverse tuple ?
  2008-02-29 12:34   ` Nishit Shah
@ 2008-03-01 12:22     ` Pascal Hambourg
  0 siblings, 0 replies; 8+ messages in thread
From: Pascal Hambourg @ 2008-03-01 12:22 UTC (permalink / raw)
  To: Nishit Shah; +Cc: netfilter-devel

Nishit Shah a écrit :
> 
>> NAT may implicitly change the original source port in order to 
>> avoid a clash with an existing connection.
> 
> Hmm... So if I need original source IP and port in proxy (like
> SO_ORIGINAL_DST, something SO_ORIGINAL_SRC) I should trust conntrack not the
> socket info, correct ?

I guess so, unless it exists some option similar to SO_ORIGINAL_DST, 
which is IMHO a ugly hack.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2008-03-01 12:24 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-02-29 10:49 Does Redirect/NAT change the destination port of reverse tuple ? Nishit Shah
2008-02-29 11:29 ` Jan Engelhardt
2008-02-29 12:00   ` Nishit Shah
2008-02-29 12:04     ` Jan Engelhardt
2008-02-29 12:13       ` Nishit Shah
2008-02-29 11:52 ` Pascal Hambourg
2008-02-29 12:34   ` Nishit Shah
2008-03-01 12:22     ` Pascal Hambourg

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.