-j SNAT

-j SNAT

[Denis]

Good afternoon everybody.


I'm having a problem with a SNAT and wanna know if somebody here can help-me.


the issue is as following:


I have a Proxy Load Balanced and when my users try to access bank's
sites on ssl protocol (port 443)

when the connection  is balanced by the two proxy nodes the bank site
notes that ip source change and the user is disconnected


to solve this problem I thinked to do a SNAT on my two nodes as follow

Node 1 (Ip 202.188.94.66)

iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
--to-source 202.188.94.68:6001-7000


and on Node 2 (IP 202.188.94.67)

iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
--to-source 202.188.94.68:7001-8000

so, the connection arrives on the destination translated as have to
be, but the connection doesn't get established.

This is as the destination machine can't return the package.


Some body have any idea to help me?

Re: -j SNAT

[Danny]

Hey !

Its better you dont disclose the IP of your server, and that the site is 
of a bank !

I think you are better of disconnecting the user, if the client's IP has 
changed ! Or have I understood u wrong !

How have you load balanced ?


Hmm ... NATing incoming requests would not help you in future >> digging 
out access logs and tracking HTTP requests.  !!

You should be using LVS with Direct Routing ! [ with arptables ]  + 
ldirectord  [ Long term solution ]


- Danny

Denis wrote:
> Good afternoon everybody.
>
>
> I'm having a problem with a SNAT and wanna know if somebody here can 
> help-me.
>
>
> the issue is as following:
>
>
> I have a Proxy Load Balanced and when my users try to access bank's
> sites on ssl protocol (port 443)
>
> when the connection  is balanced by the two proxy nodes the bank site
> notes that ip source change and the user is disconnected
>
>
> to solve this problem I thinked to do a SNAT on my two nodes as follow
>
> Node 1 (Ip 202.188.94.66)
>
> iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
> --to-source 202.188.94.68:6001-7000
>
>
> and on Node 2 (IP 202.188.94.67)
>
> iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
> --to-source 202.188.94.68:7001-8000
>
> so, the connection arrives on the destination translated as have to
> be, but the connection doesn't get established.
>
> This is as the destination machine can't return the package.
>
>
> Some body have any idea to help me?
>
>

Re: -j SNAT

[Denis]

2006/11/29, Danny <dineshg@hostway.com>:
> Hey !
Hey Danny!!!

> Its better you dont disclose the IP of your server, and that the site is
> of a bank !
Well these ips isn't my real ips, but they're like it

> I think you are better of disconnecting the user, if the client's IP has
> changed ! Or have I understood u wrong !
> How have you load balanced ?

I'm Load balancing using LVS + ldirectord + Heartbeat on two servers

The problem is when a user try to access a ssl site as a bank the user
connection arrives at the bank site as comming from the two nodes
proxys, with two different IPs, so the bank discoonect the clients...

the problem is that when a user is going to connect to a ssl server in
the other side have to appear just one ip from my network even so the
connection is being balanced.

 (Oh god! My english is horrible!!!!!)
>
> Hmm ... NATing incoming requests would not help you in future >> digging
> out access logs and tracking HTTP requests.  !!
I wanna nat outgoing requests...

> You should be using LVS with Direct Routing ! [ with arptables ]  +
> ldirectord  [ Long term solution ]

exactly using lvs, ldirectord, heartbeat.
>
> - Danny
>
> Denis wrote:
> > Good afternoon everybody.
> >
> >
> > I'm having a problem with a SNAT and wanna know if somebody here can
> > help-me.
> >
> >
> > the issue is as following:
> >
> >
> > I have a Proxy Load Balanced and when my users try to access bank's
> > sites on ssl protocol (port 443)
> >
> > when the connection  is balanced by the two proxy nodes the bank site
> > notes that ip source change and the user is disconnected
> >
> >
> > to solve this problem I thinked to do a SNAT on my two nodes as follow
> >
> > Node 1 (Ip 202.188.94.66)
> >
> > iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
> > --to-source 202.188.94.68:6001-7000
> >
> >
> > and on Node 2 (IP 202.188.94.67)
> >
> > iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
> > --to-source 202.188.94.68:7001-8000
> >
> > so, the connection arrives on the destination translated as have to
> > be, but the connection doesn't get established.
> >
> > This is as the destination machine can't return the package.
> >
> >
> > Some body have any idea to help me?
> >
> >
>
>

Re: -j SNAT

[Danny]

Hmm,  Well if you are using lvs, the client should not get the real 
servers IP. He should get only the virtual servers IP.

In both DR and Masquerading technique, the client will be getting 
response from the virtual server's IP.

Are you sure this is the problem ? Have you tried running tcpdump ?



- Danny


Denis wrote:
> 2006/11/29, Danny <dineshg@hostway.com>:
>> Hey !
> Hey Danny!!!
>
>> Its better you dont disclose the IP of your server, and that the site is
>> of a bank !
> Well these ips isn't my real ips, but they're like it
>
>> I think you are better of disconnecting the user, if the client's IP has
>> changed ! Or have I understood u wrong !
>> How have you load balanced ?
>
> I'm Load balancing using LVS + ldirectord + Heartbeat on two servers
>
> The problem is when a user try to access a ssl site as a bank the user
> connection arrives at the bank site as comming from the two nodes
> proxys, with two different IPs, so the bank discoonect the clients...
>
> the problem is that when a user is going to connect to a ssl server in
> the other side have to appear just one ip from my network even so the
> connection is being balanced.
>
> (Oh god! My english is horrible!!!!!)
>>
>> Hmm ... NATing incoming requests would not help you in future >> digging
>> out access logs and tracking HTTP requests.  !!
> I wanna nat outgoing requests...
>
>> You should be using LVS with Direct Routing ! [ with arptables ]  +
>> ldirectord  [ Long term solution ]
>
> exactly using lvs, ldirectord, heartbeat.
>>
>> - Danny
>>
>> Denis wrote:
>> > Good afternoon everybody.
>> >
>> >
>> > I'm having a problem with a SNAT and wanna know if somebody here can
>> > help-me.
>> >
>> >
>> > the issue is as following:
>> >
>> >
>> > I have a Proxy Load Balanced and when my users try to access bank's
>> > sites on ssl protocol (port 443)
>> >
>> > when the connection  is balanced by the two proxy nodes the bank site
>> > notes that ip source change and the user is disconnected
>> >
>> >
>> > to solve this problem I thinked to do a SNAT on my two nodes as follow
>> >
>> > Node 1 (Ip 202.188.94.66)
>> >
>> > iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
>> > --to-source 202.188.94.68:6001-7000
>> >
>> >
>> > and on Node 2 (IP 202.188.94.67)
>> >
>> > iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
>> > --to-source 202.188.94.68:7001-8000
>> >
>> > so, the connection arrives on the destination translated as have to
>> > be, but the connection doesn't get established.
>> >
>> > This is as the destination machine can't return the package.
>> >
>> >
>> > Some body have any idea to help me?
>> >
>> >
>>
>>
>

Re: -j SNAT

[Denis]

Ok Danny, but the problem is ocurring to the another side of the connection.

From proxy to ssl on internet. Cause one single connect arrives from
to ips (the valid nodes ips)

------------------------------
| bank site              |
------------------------------
 |200.x.x.x2  | 200.x.x.x1
----------    ----------
|node1|   |Node2|
----------   -----------
|172.16.x.x    |172.16.x.x


clients

from proxy to my clients its all ok!

2006/11/30, Danny <dineshg@hostway.com>:
> Hi Denis !
>
> Yes ! indeed I agree that the requests are replied by the real server
> directly.
> If you do a tcpdump on any of the real server, you would see that the
> response would be from the fake IP [ which is a virtual IP ]
>
>
>
> - Danny
>
> Denis wrote:
> > Hey Danny!
> >
> > My lvs topology is like this:
> >
> > http://www.ultramonkey.org/3/topologies/sl-ha-lb-eg.html, using
> > "direct routing"
> >
> >
> >
> > Direct Routing: Packets from end users are forwarded directly to the
> > real server. The IP packet is not modified, so the real servers must
> > be configured to accept traffic for the virtual server's IP address.
> > This can be done using a dummy interface, or packet filtering to
> > redirect traffic addressed to the virtual server's IP address to a
> > local port. The real server may send replies directly back to the end
> > user. That is if a host based layer 4 switch is used, it may not be in
> > the return path.
> >
> >
> > So, my clients works connecting to the virtual server IP.
> >
> > The problem occurs when my servers go get the information accross the
> > internet.
>
>

Re: -j SNAT

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Why not fix the proxy?  make it sticky for connections, such that once 
they go out a particular IP side they stay there for the session.

Seems a much more direct and most likely easier solution then trying to 
hack in an iptables work-a-round.

thanks,

Ron DuFresne



On Wed, 29 Nov 2006, Denis wrote:

> 2006/11/29, Danny <dineshg@hostway.com>:
>> Hey !
> Hey Danny!!!
>
>> Its better you dont disclose the IP of your server, and that the site is
>> of a bank !
> Well these ips isn't my real ips, but they're like it
>
>> I think you are better of disconnecting the user, if the client's IP has
>> changed ! Or have I understood u wrong !
>> How have you load balanced ?
>
> I'm Load balancing using LVS + ldirectord + Heartbeat on two servers
>
> The problem is when a user try to access a ssl site as a bank the user
> connection arrives at the bank site as comming from the two nodes
> proxys, with two different IPs, so the bank discoonect the clients...
>
> the problem is that when a user is going to connect to a ssl server in
> the other side have to appear just one ip from my network even so the
> connection is being balanced.
>
> (Oh god! My english is horrible!!!!!)
>> 
>> Hmm ... NATing incoming requests would not help you in future >> digging
>> out access logs and tracking HTTP requests.  !!
> I wanna nat outgoing requests...
>
>> You should be using LVS with Direct Routing ! [ with arptables ]  +
>> ldirectord  [ Long term solution ]
>
> exactly using lvs, ldirectord, heartbeat.
>> 
>> - Danny
>> 
>> Denis wrote:
>> > Good afternoon everybody.
>> >
>> >
>> > I'm having a problem with a SNAT and wanna know if somebody here can
>> > help-me.
>> >
>> >
>> > the issue is as following:
>> >
>> >
>> > I have a Proxy Load Balanced and when my users try to access bank's
>> > sites on ssl protocol (port 443)
>> >
>> > when the connection  is balanced by the two proxy nodes the bank site
>> > notes that ip source change and the user is disconnected
>> >
>> >
>> > to solve this problem I thinked to do a SNAT on my two nodes as follow
>> >
>> > Node 1 (Ip 202.188.94.66)
>> >
>> > iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
>> > --to-source 202.188.94.68:6001-7000
>> >
>> >
>> > and on Node 2 (IP 202.188.94.67)
>> >
>> > iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
>> > --to-source 202.188.94.68:7001-8000
>> >
>> > so, the connection arrives on the destination translated as have to
>> > be, but the connection doesn't get established.
>> >
>> > This is as the destination machine can't return the package.
>> >
>> >
>> > Some body have any idea to help me?
>> >
>> >
>> 
>> 
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFdzZwst+vzJSwZikRAqzCAKCueR6rMF9+6hMUxQd0jFDhQ1ZH9gCfdM+H
5eMpNgqSDoHCavQv70YCGdc=
=F45z
-----END PGP SIGNATURE-----