connmark and nat - Dmitry Melekhov

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Dmitry Melekhov <dm@belkam.com>
To: netfilter@vger.kernel.org
Subject: connmark and nat
Date: Tue, 31 Mar 2015 11:10:02 +0400	[thread overview]
Message-ID: <551A484A.7050208@belkam.com> (raw)

Hello!

I'm trying to do DNAT/SNAT on the same host with connmark and can't get 
it working.

My host has static ip 192.168.22.252 and it can get address 
192.168.22.99 from VRRP, so bind doesn't listen on 192.168.22.99,
but if host got this address it has to answer on it the same as on 
192.168.22.252.

So , if traffic goes to 192.168.22.99 port 53 udp, I need to redirect it 
to 192.168.22.252:53,
and if it was to 192.168.22.99 host need to reply from this address.

DNAT part works:

#mark
iptables -t mangle -A PREROUTING -d 192.168.22.99 -p udp --dport 53 -j 
CONNMARK --set-mark 0x100

#restore mark inside connection
iptables -t mangle -A PREROUTING -d 192.168.22.99 -p udp --dport 53 -j 
CONNMARK --restore-mark

#do NAT
iptables -t nat -A PREROUTING -m mark --mark 0x100 -j DNAT 
--to-destination 192.168.22.252

Don't know is is correct or not, but at least it works.

But SNAT doesn't:

#restore mark
iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark

#do nat
iptables -t nat -A POSTROUTING -m mark --mark 0x100 -j SNAT --to-source 
192.168.22.99

I see that no packets hit rule:

     0     0 SNAT       all  --  *      *       0.0.0.0/0 
0.0.0.0/0            connmark match  0x100 to:192.168.22.99

Could you, please, tell me what is wrong here?

Thank you!

next             reply	other threads:[~2015-03-31  7:10 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-31  7:10 Dmitry Melekhov [this message]
2015-04-01 21:58 ` connmark and nat Pascal Hambourg
2015-04-02  4:22   ` Dmitry Melekhov
2015-04-02 14:17     ` Dennis Jacobfeuerborn
2015-04-02 15:05       ` Dmitry Melekhov
2015-04-03  4:03         ` Dmitry Melekhov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=551A484A.7050208@belkam.com \
    --to=dm@belkam.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox