am i abusing conntrackd?
by KatrinAlec from LinuxQuestions.org on (#6DBS6)
Hello,
I'm trying to do a connection with a dnat, but in case the answer packets come back via a a different server, I want it to work too.
interfaces Server 1: 192.168.0.1/24 and 10.0.0.1/24
interfaces Server 2: 192.168.0.2/24 and 10.0.0.2/24
Each one doing a DNAT to 10.0.0.100 (destination)
Source 192.168.0.10 is trying to connect to either 192.168.0.1 or .2, shouldn't matter.
Destination is routing back to either 10.0.0.1 or 10.0.0.2, shouldn't matter either.
e.g
192.168.0.10 (Source) connects to 192.168.0.1 (Server 1)
that will be forwarded to 10.0.0.100 (destination)
which routes the answer-packets back to 10.0.0.2 (Server 2),
that should undo the DNAT, like Server 1 would,
and send back to 192.168.0.10 (Source)
If the destination routes the answers back to the same router, which did the dnat, it works (of course).
If the destination routes back to the other one, that one doesn't have the conntrack entry to undo the dnat.
So I thought I could use conntrackd to exchange the conntrack entries.
It seems to work as far as when I connect to Server 1, Server 2 has its conntrack updated and vice versa.
But when I connect via Server 1 and the reply is routed via Server 2 the connection doesn't work.
On the destination I can see
SYN from 192.168.0.10 to 10.0.0.100 (as expected)
SYN ACK from 10.0.0.100 to 192.168.0.10 (as expected)
on Server 2 I can see
SYN ACK from 192.168.0.1 to 192.168.0.10 (so it seems to work, dnat is reversed, packets go back to source)
on Source I can see
SYN from 192.168.0.10 to 192.168.0.1 (as expected)
another
SYN from 192.168.0.10 to 192.168.0.1 (shouldn't matter afaik)
SYN ACK from 192.168.0.1 to 192.168.0.10 (IP Server 1 but mac Server 2, is what I wanted)
ACK from 192.168.0.10 to 192.168.0.1 (expected that too)
RST from 192.168.0.1 (Server 1 mac Server 1)
I think maybe the conntrack entries aren't updated fast enough so Server 1 doesn't know about the SYN ACK yet, because that went via Server 2?
Or maybe there's something else I'm missing?
I'm trying to do a connection with a dnat, but in case the answer packets come back via a a different server, I want it to work too.
interfaces Server 1: 192.168.0.1/24 and 10.0.0.1/24
interfaces Server 2: 192.168.0.2/24 and 10.0.0.2/24
Each one doing a DNAT to 10.0.0.100 (destination)
Source 192.168.0.10 is trying to connect to either 192.168.0.1 or .2, shouldn't matter.
Destination is routing back to either 10.0.0.1 or 10.0.0.2, shouldn't matter either.
e.g
192.168.0.10 (Source) connects to 192.168.0.1 (Server 1)
that will be forwarded to 10.0.0.100 (destination)
which routes the answer-packets back to 10.0.0.2 (Server 2),
that should undo the DNAT, like Server 1 would,
and send back to 192.168.0.10 (Source)
If the destination routes the answers back to the same router, which did the dnat, it works (of course).
If the destination routes back to the other one, that one doesn't have the conntrack entry to undo the dnat.
So I thought I could use conntrackd to exchange the conntrack entries.
It seems to work as far as when I connect to Server 1, Server 2 has its conntrack updated and vice versa.
But when I connect via Server 1 and the reply is routed via Server 2 the connection doesn't work.
On the destination I can see
SYN from 192.168.0.10 to 10.0.0.100 (as expected)
SYN ACK from 10.0.0.100 to 192.168.0.10 (as expected)
on Server 2 I can see
SYN ACK from 192.168.0.1 to 192.168.0.10 (so it seems to work, dnat is reversed, packets go back to source)
on Source I can see
SYN from 192.168.0.10 to 192.168.0.1 (as expected)
another
SYN from 192.168.0.10 to 192.168.0.1 (shouldn't matter afaik)
SYN ACK from 192.168.0.1 to 192.168.0.10 (IP Server 1 but mac Server 2, is what I wanted)
ACK from 192.168.0.10 to 192.168.0.1 (expected that too)
RST from 192.168.0.1 (Server 1 mac Server 1)
I think maybe the conntrack entries aren't updated fast enough so Server 1 doesn't know about the SYN ACK yet, because that went via Server 2?
Or maybe there's something else I'm missing?