DNAT forwarding problems

DNAT forwarding problems

[Adam Majer]

Hi all,

I'm not subscribed to the list so please cc me any replies. Thank you.

I seem to have a major problem with DNAT. The setup is as follows,

external IP addresses: [A], [B]
internal IP address: [C] - not the NAT box

I want all udp port 53 traffic from [A]->[C] and from [B]->[C]. So I set
up the following rules

iptables -t nat -N dns-forward
iptables -t nat -A dns-forward -p udp --dport 53 -j DNAT --to-dest [C]
iptables -t nat -A PREROUTING -i A_interface -j dns-forward
iptables -t nat -A PREROUTING -i B_interface -j dns-forward

and in the packet table I set up forwarding as

itpables -P FORWARD DROP
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -N dns
iptables -A dns -d [C] -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -j dns


When a packet comes over interface [A], (also the default route), it
hits the PREROUTING chain, gets forwarded to [C] and then goes though
FORWARD and gets to the DNS server.

When the packet comes over interface[B], it also gets to the PREROUTING
chain, but it never gets to the FORWARD chain and thus never even gets
to [C]. It just dissapears into thin air. My routing seems correct..

The routing is setup with the iproute2 tool. There are rule tables the
specify correct paths for packets from interface_A and interface_B to
all other interfaces and proper default routes (so that packets from B
go back though B). The only difference is that [A] is also the default
route in the default rule table. I can get from internal network D to C
as it does not go though DNAT.

Any ideas? Can someone reproduce this problem?

- Adam

PS. kernel 2.6.7, iptables 1.2.9

-- 
Building your applications one byte at a time
http://www.galacticasoftware.com

Re: DNAT forwarding problems

[raido]

Hi!
> external IP addresses: [A], [B]
> internal IP address: [C] - not the NAT box
>
> I want all udp port 53 traffic from [A]->[C] and from [B]->[C]. So I set
> up the following rules
>
> When the packet comes over interface[B], it also gets to the PREROUTING
> chain, but it never gets to the FORWARD chain and thus never even gets
> to [C]. It just dissapears into thin air. My routing seems correct..

> PS. kernel 2.6.7, iptables 1.2.9
I wrote few days ago about my problem which seems to be alike, in this list. I 
have same configuration and I need to DNAT all traffic from [A] to [C] and 
packets also disapear in PREROUTING chain. I have also 2.6.7 kernel and  
iptables 1.2.9. Next I plan to upgrade to iptables 1.2.10. If this does not 
help, maybe it is time to make a bug report?


Raido

Re: DNAT forwarding problems

[Adam Majer]

raido wrote:

>Hi!
>  
>
>>external IP addresses: [A], [B]
>>internal IP address: [C] - not the NAT box
>>
>>I want all udp port 53 traffic from [A]->[C] and from [B]->[C]. So I set
>>up the following rules
>>
>>When the packet comes over interface[B], it also gets to the PREROUTING
>>chain, but it never gets to the FORWARD chain and thus never even gets
>>to [C]. It just dissapears into thin air. My routing seems correct..
>>    
>>
>
>  
>
>>PS. kernel 2.6.7, iptables 1.2.9
>>    
>>
>I wrote few days ago about my problem which seems to be alike, in this list. I 
>have same configuration and I need to DNAT all traffic from [A] to [C] and 
>packets also disapear in PREROUTING chain. I have also 2.6.7 kernel and  
>iptables 1.2.9. Next I plan to upgrade to iptables 1.2.10. If this does not 
>help, maybe it is time to make a bug report?
>  
>

Upgrading iptables to 1.2.11 did not help.

The problem appears to be that the rp_filter ate the packets. It thought
that these packets were rogue packets. Anyway, when I disabled
rp_filter, the packets starting flowing but then there was the problem
of reply packets being sent out from a wrong interface. That is,

(IN)  [B] -> [C]
(OUT) [C] -> [A] instead of [B].

To solve this, set up two IP addresses at the [C] machine (C and C').
Packets from one interface went to [C] and packets from the other
interface ([B]) went to C'. To reenable rp_filter and not to lose
packets, I had to set up a routing rule for packets coming *from* the C'
interface. I think the kernel will look at the routing and say "Hey, you
want to route B->C', but there is no rule for C' to get back to B" and
it just discards packets before it gets to FORWARD chain. So I added

ip rule add from C' table second_interface_routing_table

where the second interface routing table has the default route [B], not [A].

Now *everything* works. Only took my about 20 hours to figure that out!!
:) Anyway, I guess one cannot route [A]->[C] and [B]->[C] directly. The
kernel does not keep track by itself where the reply should be sent in
that configuration, unless someone could tell me how that could work.

- Adam

PS. There was also a problem at C with packets. Packets routed to C'
were replied as though they came from C. The solution is to have two
daemons, one bound to C and another to C'. If the daemon was bound to
0.0.0.0, it replied with the default address (kernel 2.4.27-rc3).

PPS. Not on the list, so please CC me.

-- 
Building your applications one byte at a time
http://www.galacticasoftware.com

Re: DNAT forwarding problems

[raido]

>
> The problem appears to be that the rp_filter ate the packets. It thought
> that these packets were rogue packets. Anyway, when I disabled
> rp_filter, the packets starting flowing but then there was the problem
> of reply packets being sent out from a wrong interface. 
It seems our configurations go here apart. I don't have IP addresses bound to 
box, so, I don't have rp_filter either.  Turning off rp_filter for "all"  
didn't change a thing.
Thanks anyway and great you got your configuration to work.

Raido