* bonding-related problem with DNAT/SNAT
@ 2009-11-24 18:55 Craig Craig
2009-11-25 7:54 ` Richard Horton
0 siblings, 1 reply; 2+ messages in thread
From: Craig Craig @ 2009-11-24 18:55 UTC (permalink / raw)
To: netfilter
Dear netfilter List,
I have two machines running Kernel 2.6.29.5, one has bonding-related problem.
A.A.A.A = public IP
X.X.y.y = internal Host #1
X.X.z.z = internal Host #2
What I do is:
Internet ----> Host #1 -----> Host #2
A.A.A.A -----> X.X.y.y -----> X.X.z.z
- Host #1 gets the traffic from the Internet and changes the source via SNAT rule to itself.
- Host #1 uses DNAT to redirect traffic to host #2.
- Host #2 will send the answer to host #1, which will sent it back to the internet again.
This works fine with one interface, but if I use bonding, it fails. Can anyone tell me why?
Any hint would be nice...
Bonding activation:
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
ifconfig bond0 X.X.y.y
ifenslave bond0 eth0
ifenslave bond0 eth1
route add default gw XX.XX.y.g
iptables-save:
# Generated by iptables-save v1.4.3.2 on Tue Nov 24 20:21:28 2009
*raw
:PREROUTING ACCEPT [1788:122490]
:OUTPUT ACCEPT [1444:211385]
COMMIT
# Completed on Tue Nov 24 20:21:28 2009
# Generated by iptables-save v1.4.3.2 on Tue Nov 24 20:21:28 2009
*nat
:PREROUTING ACCEPT [100:7436]
:POSTROUTING ACCEPT [20:1480]
:OUTPUT ACCEPT [20:1480]
-A PREROUTING -s A.A.A.A/32 -d X.X.y.y/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination X.X.z.z:443
-A POSTROUTING -d X.X.z.z/32 -p tcp -j SNAT --to-source X.X.y.y
COMMIT
# Completed on Tue Nov 24 20:21:28 2009
# Generated by iptables-save v1.4.3.2 on Tue Nov 24 20:21:28 2009
*mangle
:PREROUTING ACCEPT [1793:122750]
:INPUT ACCEPT [1793:122750]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1451:212709]
:POSTROUTING ACCEPT [1451:212709]
-A PREROUTING -s A.A.A.A/32 -d X.X.y.y/32 -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Tue Nov 24 20:21:28 2009
# Generated by iptables-save v1.4.3.2 on Tue Nov 24 20:21:28 2009
*filter
:INPUT ACCEPT [1794:122802]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1455:213349]
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j LOG
COMMIT
# Completed on Tue Nov 24 20:21:28 2009
Relevant .config info:
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NETFILTER_TPROXY=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
CONFIG_NETFILTER_XT_TARGET_DSCP=y
CONFIG_NETFILTER_XT_TARGET_MARK=y
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
CONFIG_NETFILTER_XT_TARGET_RATEEST=y
CONFIG_NETFILTER_XT_TARGET_TPROXY=y
CONFIG_NETFILTER_XT_TARGET_TRACE=y
CONFIG_NETFILTER_XT_TARGET_SECMARK=y
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y
CONFIG_NETFILTER_XT_MATCH_COMMENT=y
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_DCCP=y
CONFIG_NETFILTER_XT_MATCH_DSCP=y
CONFIG_NETFILTER_XT_MATCH_ESP=y
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
CONFIG_NETFILTER_XT_MATCH_HELPER=y
CONFIG_NETFILTER_XT_MATCH_IPRANGE=y
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
CONFIG_NETFILTER_XT_MATCH_MAC=y
CONFIG_NETFILTER_XT_MATCH_MARK=y
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
CONFIG_NETFILTER_XT_MATCH_OWNER=y
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
CONFIG_NETFILTER_XT_MATCH_QUOTA=y
CONFIG_NETFILTER_XT_MATCH_RATEEST=y
CONFIG_NETFILTER_XT_MATCH_REALM=y
CONFIG_NETFILTER_XT_MATCH_RECENT=y
CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT=y
CONFIG_NETFILTER_XT_MATCH_SCTP=y
CONFIG_NETFILTER_XT_MATCH_SOCKET=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
CONFIG_NETFILTER_XT_MATCH_STRING=y
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
CONFIG_NETFILTER_XT_MATCH_TIME=y
CONFIG_NETFILTER_XT_MATCH_U32=y
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: bonding-related problem with DNAT/SNAT
2009-11-24 18:55 bonding-related problem with DNAT/SNAT Craig Craig
@ 2009-11-25 7:54 ` Richard Horton
0 siblings, 0 replies; 2+ messages in thread
From: Richard Horton @ 2009-11-25 7:54 UTC (permalink / raw)
To: Craig Craig; +Cc: netfilter
2009/11/24 Craig Craig <craig@haquarter.de>:
> Dear netfilter List,
>
> I have two machines running Kernel 2.6.29.5, one has bonding-related problem.
>
>
Might be worth sticking trace on and seeing which rules are met...
iptables -t raw -A PREROUTING -j TRACE
and then post the resulting trace logs...
--
Richard Horton
Users are like a virus: Each causing a thousand tiny crises until the
host finally dies.
http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
http://www.pbase.com/arimus - My online photogallery
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-11-25 7:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-11-24 18:55 bonding-related problem with DNAT/SNAT Craig Craig
2009-11-25 7:54 ` Richard Horton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).