Hi Silvio,
Thanks for your response.
I still do not understand why SNATting in B to public IP of box A would not
work?
By this I mean the following:
1) Client sends packet to box A ( src: 9.10.11.12 dst: 1.2.3.4 )
2) Box A does DNAT (PREROUTING) to box B ( src: 9.10.11.12 dst: 10.0.0.2 )
Box B receives the packet and replies directly to the client:
1) Box B does SNAT (POSTROUTING) using box A WAN as source (src: 1.2.3.4
dst: 9.10.11.12)
There are two reasons why I'd like to implement it this way:
a) Reduce the load on box A so that the packets from B go directly to the
client 9.10.11.12, bypassing A.
b) The server on box B must log the IPs of all clients (i.e. log the
original client IP 9.10.11.12)
Thank you,
Alec Matusis
>-----Original Message-----
>From: Silvio Fonseca [mailto:silvio@pizzaroot.com.br]
>Sent: Saturday, February 24, 2007 8:18 AM
>To: netfilter@lists.netfilter.org
>Cc: Alec Matusis
>Subject: Re: "distributed router" question
>
>Hello Alec,
>
>In this situation you have to SNAT on box A before sending the
>packet to box
>B:
>
>1) Client send packet to box A ( src: 9.10.11.12 dst: 1.2.3.4 )
>2) Box A does DNAT (PREROUTING) to box B ( src: 9.10.11.12
>dst: 10.0.0.2 )
>3) Box A does SNAT (POSTROUTING) using box A LAN as source (
>src: 10.0.0.1
>dst: 10.0.0.2 )
>
>Box B receives the packet and reply:
>
>1) Box B reply to box A ( src: 10.0.0.2 dst: 10.0.01 )
>2) Box A revert the SNAT ( src: 10.0.0.2 dst: 9.10.11.12 )
>3) Box A revert the DNAT ( src: 1.2.3.4 dst: 9.10.11.12 )
>
>Asymmetrical routing, using box A WAN to receive and box B WAN
>to send, won't
>work because you will need to SNAT to the public IP address of
>B before
>sending to the public network (source will be 5.6.7.8) while
>the client is
>expecting A public address (source 1.2.3.4).
>
>Hope that helps.
>
>Silvio Fonseca
>
>> I am wondering if I am doing something legitimate, or it's
>against TCP/IP
>> (I am a physicist by education, so I do not know):
>>
>> I have box A that has one connection to WAN and one
>connection to LAN. On
>> box A, eth0 has a public ip 1.2.3.4 and eth1 has a private
>ip 10.0.0.1
>>
>> I have box B that also has one connection to WAN and another
>one to the
>> same LAN. On B, eth0 has a public ip 5.6.7.8 and eth1 has a
>private ip
>> 10.0.0.2
>>
>> I configured iptables in box A to forward packets destined
>for 1.2.3.4:3000
>> to the destination 10.0.0.2:3000 , i.e. to box B. This part works, I
>> checked with tcpdumps.
>>
>> Now, the box B after receiving a SYN packet via box A on
>eth1, sends an ACK
>> packet directly through its WAN interface eth0 to the
>client. If I do not
>> configure POSTROUTING SNAT , those ACK packets appear to
>originate from
>> 10.0.0.2, so they are rejected by the client.
>> My question is: if I configure SNAT on box B so that ACK
>packets appear to
>> come from box A (i.e. from 1.2.3.4), would this be a legitimate
>> configuration?
>>
>> In other words, a SYN packet is sent to one machine,
>forwarded via LAN to
>> another machine, and the ACK packet is sent from the second
>machine having
>> the source ip of the first machine. For that matter, all
>incoming packets
>> from the client are received by A, then forwarded to B, and
>all response
>> packets are sent directly from B to the client. Is this a legitimate
>> configuration?
>
|