From: Thomas Bach <t.bach@ilexius.de>
To: netfilter@vger.kernel.org
Subject: IPSec, masquerade and dnat with nftables
Date: Fri, 09 Sep 2016 09:06:59 +0200 [thread overview]
Message-ID: <8737l9mu0c.fsf@ilexius.de> (raw)
Hi,
I have two hosts with public ip addresses running Ubuntu 16.04 with
Kernel version 4.4.0.
I want to interconnect two containers (systemd-nspawn) with veth
interfaces running on these hosts in a server client setup.
So on the first host, where the server in the container runs I have
the following rules:
# nft list ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
tcp dport { 4506, 4505} dnat 10.0.0.2
}
chain output {
type nat hook output priority 0; policy accept;
tcp dport { 4505, 4506} dnat 10.0.0.2
}
chain input {
type nat hook input priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
ip saddr 10.0.0.0/8 oif enp4s0 masquerade
}
}
On the second host, where the client runs i have the following:
# nft list ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain output {
type nat hook output priority 0; policy accept;
}
chain input {
type nat hook input priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
ip saddr 10.0.0.0/8 oif enp0s31f6 masquerade
}
}
This works as expected and without any problems at all. Now IPSec
enters the picture. As soon as I setup a policy to encrypt everyting
between the two hosts the following happens:
+ I can still connect from the second host to the server in the
container without problems,
+ I can still /connect/ (i.e. establish a connection) from the
container on the second host to the server on the first host, but
+ in tcpdump listening on the interface of the container (on the
second host) I see lots of TCP Retransmissions and the TCP connection
is effectively broken.
Can someone give me a hint what is going on here?
Regards
Thomas Bach.
--
ilexius GmbH
Thomas Bach
Unter den Eichen 5
Haus i
65195 Wiesbaden
Fon: +49-(0)611 - 180 33 49
Fax: +49-(0)611 - 236 80 84 29
----------------------------------------
ilexius GmbH
vertreten durch die Geschäftsleitung:
Thomas Schlüter und Sebastian Koch
Registergericht: Wiesbaden
Handelsregister: HRB 21723
Steuernummer: 040 236 22640
Ust-IdNr.: DE240822836
----------------------------------------
next reply other threads:[~2016-09-09 7:06 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-09 7:06 Thomas Bach [this message]
2016-10-17 19:44 ` IPSec, masquerade and dnat with nftables Pablo Neira Ayuso
2016-10-17 19:52 ` Noel Kuntze
2016-10-17 20:11 ` Pablo Neira Ayuso
2016-10-17 20:17 ` Noel Kuntze
2016-10-17 20:27 ` Pablo Neira Ayuso
2016-10-17 21:07 ` Noel Kuntze
2016-10-18 8:59 ` Florian Westphal
2016-10-18 20:38 ` Noel Kuntze
2016-10-18 20:55 ` Florian Westphal
2016-10-18 21:50 ` Noel Kuntze
2016-10-18 9:39 ` Thomas Bach
2016-10-18 11:33 ` Noel Kuntze
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8737l9mu0c.fsf@ilexius.de \
--to=t.bach@ilexius.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox