connmark and nat

connmark and nat

[Dmitry Melekhov]

Hello!

I'm trying to do DNAT/SNAT on the same host with connmark and can't get 
it working.

My host has static ip 192.168.22.252 and it can get address 
192.168.22.99 from VRRP, so bind doesn't listen on 192.168.22.99,
but if host got this address it has to answer on it the same as on 
192.168.22.252.

So , if traffic goes to 192.168.22.99 port 53 udp, I need to redirect it 
to 192.168.22.252:53,
and if it was to 192.168.22.99 host need to reply from this address.

DNAT part works:

#mark
iptables -t mangle -A PREROUTING -d 192.168.22.99 -p udp --dport 53 -j 
CONNMARK --set-mark 0x100

#restore mark inside connection
iptables -t mangle -A PREROUTING -d 192.168.22.99 -p udp --dport 53 -j 
CONNMARK --restore-mark


#do NAT
iptables -t nat -A PREROUTING -m mark --mark 0x100 -j DNAT 
--to-destination 192.168.22.252


Don't know is is correct or not, but at least it works.


But SNAT doesn't:

#restore mark
iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark

#do nat
iptables -t nat -A POSTROUTING -m mark --mark 0x100 -j SNAT --to-source 
192.168.22.99


I see that no packets hit rule:

     0     0 SNAT       all  --  *      *       0.0.0.0/0 
0.0.0.0/0            connmark match  0x100 to:192.168.22.99


Could you, please, tell me what is wrong here?

Thank you!

Re: connmark and nat

[Pascal Hambourg]

Dmitry Melekhov a écrit :
> 
> I'm trying to do DNAT/SNAT on the same host with connmark and can't get 
> it working.
> 
> My host has static ip 192.168.22.252 and it can get address 
> 192.168.22.99 from VRRP, so bind doesn't listen on 192.168.22.99,

Why not ?

> but if host got this address it has to answer on it the same as on 
> 192.168.22.252.
> 
> So , if traffic goes to 192.168.22.99 port 53 udp, I need to redirect it 
> to 192.168.22.252:53,

Not if you can have BIND to listen on 192.168.22.99 when your host gets
the address.

> and if it was to 192.168.22.99 host need to reply from this address.

This is automatic with stateful destination NAT (DNAT).

> DNAT part works:
> 
> #mark
> iptables -t mangle -A PREROUTING -d 192.168.22.99 -p udp --dport 53 -j 
> CONNMARK --set-mark 0x100
> 
> #restore mark inside connection
> iptables -t mangle -A PREROUTING -d 192.168.22.99 -p udp --dport 53 -j 
> CONNMARK --restore-mark
> 
> #do NAT
> iptables -t nat -A PREROUTING -m mark --mark 0x100 -j DNAT 
> --to-destination 192.168.22.252

What a complicated setup. Why not just this :

iptables -t nat -A PREROUTING -d 192.168.22.99 -p udp --dport 53 \
  -j DNAT --to-destination 192.168.22.252

> But SNAT doesn't:
> 
> #restore mark
> iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark
> 
> #do nat
> iptables -t nat -A POSTROUTING -m mark --mark 0x100 -j SNAT --to-source 
> 192.168.22.99
> 
> I see that no packets hit rule:

Of course not. Stateful NAT automatically takes care of reply packets
and replaces addresses as expected by the original sender. Only the
first packet of a new connection goes throught the chains of the nat table.

Re: connmark and nat

[Dmitry Melekhov]

02.04.2015 01:58, Pascal Hambourg пишет:
> Dmitry Melekhov a écrit :
>> I'm trying to do DNAT/SNAT on the same host with connmark and can't get
>> it working.
>>
>> My host has static ip 192.168.22.252 and it can get address
>> 192.168.22.99 from VRRP, so bind doesn't listen on 192.168.22.99,
> Why not ?

because there is no such address on interface, it becomes available only 
at VRRP state change to master :-)

>> but if host got this address it has to answer on it the same as on
>> 192.168.22.252.
>>
>> So , if traffic goes to 192.168.22.99 port 53 udp, I need to redirect it
>> to 192.168.22.252:53,
> Not if you can have BIND to listen on 192.168.22.99 when your host gets
> the address.

Yes, really, I can, but I'd like to solve this by using iptables, just 
for fun, you know ;-)

>> and if it was to 192.168.22.99 host need to reply from this address.
> This is automatic with stateful destination NAT (DNAT).

Really not, bind uses udp, so it will reply from 192.168.22.252, i.e. 
from address it listens.
>
>> DNAT part works:
>>
>> #mark
>> iptables -t mangle -A PREROUTING -d 192.168.22.99 -p udp --dport 53 -j
>> CONNMARK --set-mark 0x100
>>
>> #restore mark inside connection
>> iptables -t mangle -A PREROUTING -d 192.168.22.99 -p udp --dport 53 -j
>> CONNMARK --restore-mark
>>
>> #do NAT
>> iptables -t nat -A PREROUTING -m mark --mark 0x100 -j DNAT
>> --to-destination 192.168.22.252
> What a complicated setup. Why not just this :
>
> iptables -t nat -A PREROUTING -d 192.168.22.99 -p udp --dport 53 \
>    -j DNAT --to-destination 192.168.22.252

Please, see above, in this case replies are go from

192.168.22.252

and clients just drop such packets.

>
>> But SNAT doesn't:
>>
>> #restore mark
>> iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark
>>
>> #do nat
>> iptables -t nat -A POSTROUTING -m mark --mark 0x100 -j SNAT --to-source
>> 192.168.22.99
>>
>> I see that no packets hit rule:
> Of course not. Stateful NAT automatically takes care of reply packets
> and replaces addresses as expected by the original sender. Only the
> first packet of a new connection goes throught the chains of the nat table.
Sorry, no.

Re: connmark and nat

[Dennis Jacobfeuerborn]

On 02.04.2015 06:22, Dmitry Melekhov wrote:
> 02.04.2015 01:58, Pascal Hambourg пишет:
>> Dmitry Melekhov a écrit :
>>> I'm trying to do DNAT/SNAT on the same host with connmark and can't get
>>> it working.
>>>
>>> My host has static ip 192.168.22.252 and it can get address
>>> 192.168.22.99 from VRRP, so bind doesn't listen on 192.168.22.99,
>> Why not ?
> 
> because there is no such address on interface, it becomes available only
> at VRRP state change to master :-)

Have you tried using /proc/sys/net/ipv4/ip_nonlocal_bind? Then you could
bind to that address even if it isn't configured yet.

Regards,
  Dennis

Re: connmark and nat

[Dmitry Melekhov]

02.04.2015 18:17, Dennis Jacobfeuerborn пишет:
> On 02.04.2015 06:22, Dmitry Melekhov wrote:
>> 02.04.2015 01:58, Pascal Hambourg пишет:
>>> Dmitry Melekhov a écrit :
>>>> I'm trying to do DNAT/SNAT on the same host with connmark and can't get
>>>> it working.
>>>>
>>>> My host has static ip 192.168.22.252 and it can get address
>>>> 192.168.22.99 from VRRP, so bind doesn't listen on 192.168.22.99,
>>> Why not ?
>> because there is no such address on interface, it becomes available only
>> at VRRP state change to master :-)
> Have you tried using /proc/sys/net/ipv4/ip_nonlocal_bind? Then you could
> bind to that address even if it isn't configured yet.
>
>
Thank you very much, this helps :-)
I didn't know about this option.
Turned it on, changed bind to
listen-on { 192.168.22.99; any; };

and it works :-)

Re: connmark and nat

[Dmitry Melekhov]

02.04.2015 19:05, Dmitry Melekhov пишет:
> 02.04.2015 18:17, Dennis Jacobfeuerborn пишет:
>> On 02.04.2015 06:22, Dmitry Melekhov wrote:
>>> 02.04.2015 01:58, Pascal Hambourg пишет:
>>>> Dmitry Melekhov a écrit :
>>>>> I'm trying to do DNAT/SNAT on the same host with connmark and 
>>>>> can't get
>>>>> it working.
>>>>>
>>>>> My host has static ip 192.168.22.252 and it can get address
>>>>> 192.168.22.99 from VRRP, so bind doesn't listen on 192.168.22.99,
>>>> Why not ?
>>> because there is no such address on interface, it becomes available 
>>> only
>>> at VRRP state change to master :-)
>> Have you tried using /proc/sys/net/ipv4/ip_nonlocal_bind? Then you could
>> bind to that address even if it isn't configured yet.
>>
>>
> Thank you very much, this helps :-)
> I didn't know about this option.
> Turned it on, changed bind to
> listen-on { 192.168.22.99; any; };
>
> and it works :-)
>
>
Hmm, tried this once again- and doesn't work, looks like this is bind 
problem, I guess I have to enumerate all interfaces, don't use any,
but there are more than 10 interfaces on this server, and I'm too lazy ;-)

So, looks like only solution is no force rndc reconfigure on vrrp state 
change,
which I just implemented.

Very pity this can't be solved by using netfilter.

Thank you!