From: Dmitry Melekhov <dm@belkam.com>
To: Pascal Hambourg <pascal@plouf.fr.eu.org>
Cc: netfilter@vger.kernel.org
Subject: Re: connmark and nat
Date: Thu, 02 Apr 2015 08:22:19 +0400 [thread overview]
Message-ID: <551CC3FB.2070903@belkam.com> (raw)
In-Reply-To: <551C6A12.6020404@plouf.fr.eu.org>
02.04.2015 01:58, Pascal Hambourg пишет:
> Dmitry Melekhov a écrit :
>> I'm trying to do DNAT/SNAT on the same host with connmark and can't get
>> it working.
>>
>> My host has static ip 192.168.22.252 and it can get address
>> 192.168.22.99 from VRRP, so bind doesn't listen on 192.168.22.99,
> Why not ?
because there is no such address on interface, it becomes available only
at VRRP state change to master :-)
>> but if host got this address it has to answer on it the same as on
>> 192.168.22.252.
>>
>> So , if traffic goes to 192.168.22.99 port 53 udp, I need to redirect it
>> to 192.168.22.252:53,
> Not if you can have BIND to listen on 192.168.22.99 when your host gets
> the address.
Yes, really, I can, but I'd like to solve this by using iptables, just
for fun, you know ;-)
>> and if it was to 192.168.22.99 host need to reply from this address.
> This is automatic with stateful destination NAT (DNAT).
Really not, bind uses udp, so it will reply from 192.168.22.252, i.e.
from address it listens.
>
>> DNAT part works:
>>
>> #mark
>> iptables -t mangle -A PREROUTING -d 192.168.22.99 -p udp --dport 53 -j
>> CONNMARK --set-mark 0x100
>>
>> #restore mark inside connection
>> iptables -t mangle -A PREROUTING -d 192.168.22.99 -p udp --dport 53 -j
>> CONNMARK --restore-mark
>>
>> #do NAT
>> iptables -t nat -A PREROUTING -m mark --mark 0x100 -j DNAT
>> --to-destination 192.168.22.252
> What a complicated setup. Why not just this :
>
> iptables -t nat -A PREROUTING -d 192.168.22.99 -p udp --dport 53 \
> -j DNAT --to-destination 192.168.22.252
Please, see above, in this case replies are go from
192.168.22.252
and clients just drop such packets.
>
>> But SNAT doesn't:
>>
>> #restore mark
>> iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark
>>
>> #do nat
>> iptables -t nat -A POSTROUTING -m mark --mark 0x100 -j SNAT --to-source
>> 192.168.22.99
>>
>> I see that no packets hit rule:
> Of course not. Stateful NAT automatically takes care of reply packets
> and replaces addresses as expected by the original sender. Only the
> first packet of a new connection goes throught the chains of the nat table.
Sorry, no.
next prev parent reply other threads:[~2015-04-02 4:22 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-31 7:10 connmark and nat Dmitry Melekhov
2015-04-01 21:58 ` Pascal Hambourg
2015-04-02 4:22 ` Dmitry Melekhov [this message]
2015-04-02 14:17 ` Dennis Jacobfeuerborn
2015-04-02 15:05 ` Dmitry Melekhov
2015-04-03 4:03 ` Dmitry Melekhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=551CC3FB.2070903@belkam.com \
--to=dm@belkam.com \
--cc=netfilter@vger.kernel.org \
--cc=pascal@plouf.fr.eu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.