From: Thomas Bach <t.bach@ilexius.de>
To: netfilter@vger.kernel.org
Subject: IPSec, masquerade and dnat with nftables
Date: Fri, 09 Sep 2016 09:06:59 +0200 [thread overview]
Message-ID: <8737l9mu0c.fsf@ilexius.de> (raw)
Hi,
I have two hosts with public ip addresses running Ubuntu 16.04 with
Kernel version 4.4.0.
I want to interconnect two containers (systemd-nspawn) with veth
interfaces running on these hosts in a server client setup.
So on the first host, where the server in the container runs I have
the following rules:
# nft list ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
tcp dport { 4506, 4505} dnat 10.0.0.2
}
chain output {
type nat hook output priority 0; policy accept;
tcp dport { 4505, 4506} dnat 10.0.0.2
}
chain input {
type nat hook input priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
ip saddr 10.0.0.0/8 oif enp4s0 masquerade
}
}
On the second host, where the client runs i have the following:
# nft list ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain output {
type nat hook output priority 0; policy accept;
}
chain input {
type nat hook input priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
ip saddr 10.0.0.0/8 oif enp0s31f6 masquerade
}
}
This works as expected and without any problems at all. Now IPSec
enters the picture. As soon as I setup a policy to encrypt everyting
between the two hosts the following happens:
+ I can still connect from the second host to the server in the
container without problems,
+ I can still /connect/ (i.e. establish a connection) from the
container on the second host to the server on the first host, but
+ in tcpdump listening on the interface of the container (on the
second host) I see lots of TCP Retransmissions and the TCP connection
is effectively broken.
Can someone give me a hint what is going on here?
Regards
Thomas Bach.
--
ilexius GmbH
Thomas Bach
Unter den Eichen 5
Haus i
65195 Wiesbaden
Fon: +49-(0)611 - 180 33 49
Fax: +49-(0)611 - 236 80 84 29
----------------------------------------
ilexius GmbH
vertreten durch die Geschäftsleitung:
Thomas Schlüter und Sebastian Koch
Registergericht: Wiesbaden
Handelsregister: HRB 21723
Steuernummer: 040 236 22640
Ust-IdNr.: DE240822836
----------------------------------------
next reply other threads:[~2016-09-09 7:06 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-09 7:06 Thomas Bach [this message]
2016-10-17 19:44 ` IPSec, masquerade and dnat with nftables Pablo Neira Ayuso
2016-10-17 19:52 ` Noel Kuntze
2016-10-17 20:11 ` Pablo Neira Ayuso
2016-10-17 20:17 ` Noel Kuntze
2016-10-17 20:27 ` Pablo Neira Ayuso
2016-10-17 21:07 ` Noel Kuntze
2016-10-18 8:59 ` Florian Westphal
2016-10-18 20:38 ` Noel Kuntze
2016-10-18 20:55 ` Florian Westphal
2016-10-18 21:50 ` Noel Kuntze
2016-10-18 9:39 ` Thomas Bach
2016-10-18 11:33 ` Noel Kuntze
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8737l9mu0c.fsf@ilexius.de \
--to=t.bach@ilexius.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.