Packets not hitting the nat POSTROUTING table

Packets not hitting the nat POSTROUTING table

[Chris Frederick]

Can someone help me understand this issue?

I'm trying to do some load balancing, and nothing seems to be working quite right.  The plan would be to have an apache server listening on a 
private interface, while the load balancing happens on the public interface using keepalived's virtual address functions.  I seem to have 
everything setup right, but the apache responses are coming from the private interface.

I've added a TRACE rule to figure out what's happening and none of the response packets are hitting the nat table's POSTROUTING chain. 
Everywhere I've found online mentions packet traversal going through nat/POSTROUTING before being sent on.

Here's a flow of what seems to be happening:

Client (A.B.C.D) sends request to load balanced virtual ip (SYN from A.B.C.D to 1.2.3.4)
Keepalived recieves packet and sends it to a mirrored apache (SYN from A.B.C.D to 10.0.0.X)
Apache responds to client (SYN/ACK from 10.0.0.X to A.B.C.D)
Client receives response from unknown source, rightfully discards it (SYN/ACK from 10.0.0.X should have been from 1.2.3.4)

If I could just SNAT the packets with a rule like this:
iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 --sport 443 -j SNAT --to 12.34.56.78

I've run similar setups like this before, and they have worked, but I can't figure out why nothing is hitting the POSTROUTING chain in the nat 
table.

Any ideas would be helpful.

Chris Frederick

Re: Packets not hitting the nat POSTROUTING table

[Kristian Evensen]

Hi Chris,

On Thu, Jan 9, 2014 at 10:57 PM, Chris Frederick <cdf123@cdf123.net> wrote:
> Any ideas would be helpful.

If I have understood things correctly, packets belonging to an
established connection does not hit any of the chains in the nat
table. If you want to mangle/filter/manipulate/... these packets, you
can use for example the POSTROUTING chain in the mangle table or in
rawpost. The latter requires xtables-addons as well as slight change
to compilation as rawpost was removed in a recent commit. See:
http://sourceforge.net/p/xtables-addons/xtables-addons/ci/9414a5df343bf30ba13e76dbd7181c55683b11cb/

-Kristian

-Kristian

Re: Packets not hitting the nat POSTROUTING table

[Chris Frederick]

On 01/09/14 16:31, Kristian Evensen wrote:
> Hi Chris,
>
> On Thu, Jan 9, 2014 at 10:57 PM, Chris Frederick <cdf123@cdf123.net> wrote:
>> Any ideas would be helpful.
>
> If I have understood things correctly, packets belonging to an
> established connection does not hit any of the chains in the nat
> table. If you want to mangle/filter/manipulate/... these packets, you
> can use for example the POSTROUTING chain in the mangle table or in
> rawpost. The latter requires xtables-addons as well as slight change
> to compilation as rawpost was removed in a recent commit. See:
> http://sourceforge.net/p/xtables-addons/xtables-addons/ci/9414a5df343bf30ba13e76dbd7181c55683b11cb/
>
> -Kristian

When you say "established connection" are you talking TCP level established connection, or is this from contrack identifying the connection?  I 
guess what I'm asking is if doing a NOTRACK in raw would allow the packets through and still pass through nat/POSTROUTING?

I did see that they are hitting the POSTROUTING chain in the mangle table, but I can't SNAT from there.  Does xtables-addons provide this?  I'll 
probably start looking there.

The Changelog from the sourceforge link mentions the code was removed because it was unmaintained.  Is that the only reason, or was this a 
policy decision to remove that functionality to make way for something different?  I would just worry about the future if I patch the system now.

Thanks Kristian,

Chris Frederick

Re: Packets not hitting the nat POSTROUTING table

[Kristian Evensen]

Hi,

On Fri, Jan 10, 2014 at 12:02 AM, Chris Frederick <cdf123@cdf123.net> wrote:
> When you say "established connection" are you talking TCP level established
> connection, or is this from contrack identifying the connection?  I guess
> what I'm asking is if doing a NOTRACK in raw would allow the packets through
> and still pass through nat/POSTROUTING?

Sorry for not being accurate, I meant established as in an established
mapping. If you use NOTRACK, I believe packets skip conntrack and
thereby the NAT table altogether.

> I did see that they are hitting the POSTROUTING chain in the mangle table,
> but I can't SNAT from there.  Does xtables-addons provide this?  I'll
> probably start looking there.

Yes, xtables-addons used to provide this in the RAWDNAT/SNAT targets.
I am not sure why there were removed, but the modules compile fine so
keeping an out-of-tree patch is no problem, at least for now.

-Kristian