assymetrical routing, iptables problem.

assymetrical routing, iptables problem.

[Bob Keyes]

Hello All,
due to some unfortunate issues in dealing with Network Solutions, I have a
machine that cannot have its address changed, though it has moved. While I
am trying to rectify this, I am attempting to use iptables to redirect
that traffic to the machine's new home.

Routers on both sides are linux. Router 'A' is on the old network,
designated here as 1.1.1.1, and the computer 'B' is on 2.2.2.2, the new
network. The new network has teh ability to send out packets with any
source address, i.e. the ISP does not do IP source filtering. Also, I only
need to have http functioning here, but I need to have it working on both
addresses on the A and B networks. Apache is listening on port 8000 as
well as 80.



on A:

# iptables -t nat -A PREROUTING -d 1.1.1.1 -p tcp --destination-port 80 \
  -j DNAT --to-destination 2.2.2.2:8000

Redirects packets destined for 1.1.1.1 port 80 to 2.2.2.2 port 8000. This
is a way to 'tag' the packets (I opted against using any TCP options, as
routers/firewalls along the way may play with said options).

on B:

# iptables -t nat -A POSTROUTING -s 2.2.2.2 -p tcp --source-port 8000 -j \
  SNAT --to-source 1.1.1.1:80

This translates the source back to it's proper address for the right
packets and sends it out.

The problem is, the latter half of this doesn't work. What I really want
is SNAT in OUTPUT, as I believe that POSTROUTING won't touch packets that
originate on the local machine. Of course I could stick another linux
system inbetween the web server B and the T1 router, but I'd rather not
waste the space/electricity/time.

Any bright ideas?

Re: assymetrical routing, iptables problem.

[Cedric Blancher]

Le jeu 03/10/2002 à 04:15, Bob Keyes a écrit :
> on A:
> # iptables -t nat -A PREROUTING -d 1.1.1.1 -p tcp --destination-port 80 \
>   -j DNAT --to-destination 2.2.2.2:8000
> Redirects packets destined for 1.1.1.1 port 80 to 2.2.2.2 port 8000. This
> is a way to 'tag' the packets (I opted against using any TCP options, as
> routers/firewalls along the way may play with said options).
> on B:
> # iptables -t nat -A POSTROUTING -s 2.2.2.2 -p tcp --source-port 8000 -j \
>   SNAT --to-source 1.1.1.1:80
> This translates the source back to it's proper address for the right
> packets and sends it out.

You really should use a GRE tunnel between your two routers and route
your 1.1.1.1 IP directly through it. I use it quite often when migrating
hosts from one location to another (physically or logically) without
havin to change IP addresses.

See Linux Advanced Routing adn Traffic Control HOWTO (http://lartc.org/)
for GRE set up.

Note that you can also use packet MARK packets to identify them using
mangle table which prevents you to alter layer 4 stuff. You can also use
this MARK to route packets using iproute (see LARTC).

> The problem is, the latter half of this doesn't work. What I really want
> is SNAT in OUTPUT, as I believe that POSTROUTING won't touch packets that
> originate on the local machine.

SNAT on POSTROUTING will also affect locally originated packets as they
get through this chain.

> Of course I could stick another linux
> system inbetween the web server B and the T1 router, but I'd rather not
> waste the space/electricity/time.


-- 
Cédric Blancher
Consultant en sécurité des systèmes et réseaux  - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: assymetrical routing, iptables problem.

[Bob Keyes]

On 3 Oct 2002, Cedric Blancher wrote:

> You really should use a GRE tunnel between your two routers and route
> your 1.1.1.1 IP directly through it. I use it quite often when migrating
> hosts from one location to another (physically or logically) without
> havin to change IP addresses.

What I want here is a half-tunnel, of a sort. GRE Tunnels does not do
this, as far as I can tell.

>
> Note that you can also use packet MARK packets to identify them using
> mangle table which prevents you to alter layer 4 stuff. You can also use
> this MARK to route packets using iproute (see LARTC).
>
> > The problem is, the latter half of this doesn't work. What I really want
> > is SNAT in OUTPUT, as I believe that POSTROUTING won't touch packets that
> > originate on the local machine.
>
> SNAT on POSTROUTING will also affect locally originated packets as they
> get through this chain.

OK, this is good to know, there is something else going wrong than I had
thought.

Re: assymetrical routing, iptables problem.

[Andreas Wolff]

> on A:
>
> # iptables -t nat -A PREROUTING -d 1.1.1.1 -p tcp --destination-port 80 \
>   -j DNAT --to-destination 2.2.2.2:8000
>
> Redirects packets destined for 1.1.1.1 port 80 to 2.2.2.2 port 8000. This
> is a way to 'tag' the packets (I opted against using any TCP options, as
> routers/firewalls along the way may play with said options).
>

> on B:
>
> # iptables -t nat -A POSTROUTING -s 2.2.2.2 -p tcp --source-port 8000 -j \
>   SNAT --to-source 1.1.1.1:80
>
I don't understand this rule. Do you really need this? The the nating of the
the packets going back is done on A. Doesn't this rule break the nating of
packets going back to A as they do not have the source address and port
expected by a (the 2.2.2.2 and the port 8000)?

Regards,

Andreas