iptables + local server via udp + conntracking + 2 uplinks = wrong source address for replies

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Valts Silaputnins <support@proxyswitcher.com>
To: netfilter@vger.kernel.org
Subject: iptables + local server via udp + conntracking + 2 uplinks = wrong source address for replies
Date: Sun, 01 Jul 2012 16:35:15 +0300	[thread overview]
Message-ID: <4FF05213.3020204@gmail.com> (raw)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

 maybe someone can advise. The situation is following - I am running
ventrilo server - it's a VoIP software that uses UDP protocol for the
communication. It's server insists on binding to 0.0.0.0:3784
Unfortunately it's not working correctly if I have 2 uplinks available
(routing is:
 default
        nexthop via 46.109.xxx.1  dev wan0 weight 100
        nexthop via 46.109.xxx.1  dev wan1 weight 100
)
I have enabled connection tracking and connection marking for all the
packets arriving from the specified interfaces:
Chain PREROUTING (policy ACCEPT 4800K packets, 2097M bytes)
 pkts bytes target     prot opt in     out     source
destination
8248K 4108M CONNMARK   all  --  any    any     anywhere
anywhere             CONNMARK restore
3079K 1990M ACCEPT     all  --  any    any     anywhere
anywhere             mark match ! 0x0
 272K   16M MARK       all  --  wan0   any     anywhere
anywhere             MARK set 0x1
 272K   16M CONNMARK   all  --  wan0   any     anywhere
anywhere             mark match ! 0x0 CONNMARK save
 272K   16M ACCEPT     all  --  wan0   any     anywhere
anywhere             mark match ! 0x0
96275 5666K MARK       all  --  wan1   any     anywhere
anywhere             MARK set 0x2
96275 5666K CONNMARK   all  --  wan1   any     anywhere
anywhere             mark match ! 0x0 CONNMARK save
96275 5666K ACCEPT     all  --  wan1   any     anywhere
anywhere             mark match ! 0x0

So I have set ip rules & routing tables for it:
100:    from all fwmark 0x1 lookup 1
101:    from all fwmark 0x2 lookup 2
And it works _great_ for TCP connections either for web server running
on same box or for NATed & forwarded connections. What I see in tcpdump
for ventrilo is that it "randomly" picks the source address of either
uplink to send replies to clients, so naturally it does not work because
clients don't expect reply wrong wrong IP address.
So in my naivety I thought that issue must be that connection tracking
for some reason is not working for me. So I added rules into mangle
table of OUTPUT chain to MARK packets to go out of specific interface at
least:
Chain OUTPUT (policy ACCEPT 4792K packets, 2107M bytes)
 pkts bytes target     prot opt in     out     source
destination
7872K 2567M CONNMARK   all  --  any    any     anywhere
anywhere             CONNMARK restore
3080K  460M ACCEPT     all  --  any    any     anywhere
anywhere             mark match ! 0x0
   12  2688 MARK       udp  --  any    wan+    anywhere
anywhere             udp spt:3784 MARK set 0x1
    0     0 MARK       tcp  --  any    wan+    anywhere
anywhere             tcp spt:3784 MARK set 0x1
   12  2688 CONNMARK   all  --  any    wan+    anywhere
anywhere             mark match ! 0x0 CONNMARK save


And it kind of worked - packets started to go out the "wan0" interface.
However the source address was still wrong. Ok so I tried to fix that by
adding SNAT to POSTROUTING chain. Only to realize that for some reason
those packets don't hit it (checked by -j TRACE...).
So I started googling for reasons for this problem, however results seem
to condradict each other, some say it (well for tcp I suppose) works
fine, some say SNAT for OUTPUT doesn't work at all.
Sorry for long rambling, I am just stomped on this issue.
#uname -a
Linux arcturus 3.4.2-arcturus #7 SMP Tue Jun 19 21:08:02 EEST 2012
x86_64 Intel(R) Pentium(R) Dual  CPU  E2200  @ 2.20GHz GenuineIntel
GNU/Linux
# iptables --version
iptables v1.4.14

P.S. Can't make it to bind to specific interface sadly.

- --
Best regards, Valts Silaputnins.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iEYEARECAAYFAk/wUhMACgkQ7nq3gp3q9WMVUQCgzUMvfX8WS0K31ee34pX7eO5+
i3EAn0Vg8KF1t+e+7gybEbmpwNRICdUI
=EC7C
-----END PGP SIGNATURE-----

next             reply	other threads:[~2012-07-01 13:35 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-07-01 13:35 Valts Silaputnins [this message]
2012-07-08 21:15 ` iptables + local server via udp + conntracking + 2 uplinks = wrong source address for replies Andrew Beverley
2012-07-09  9:50   ` Valts Silaputnins
  -- strict thread matches above, loose matches on Subject: below --
2012-06-29 22:16 Valts Silaputnins

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4FF05213.3020204@gmail.com \
    --to=support@proxyswitcher.com \
    --cc=ValtsS@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).