advanced routing with NAT: returning UDP traffic

Discussion:

Maarten

2014-09-23 12:46:17 UTC

Hi,

until now, i've done multiple ISPs with nexthop default route, 2 extra tables,
ip rule and TCP connmark.

but, how does this involve UDP traffic...

if for example i have in my NAT LAN an NTP server, how would i get the udp
packet out the same interface where it was originally coming in from?

please advise...

Maarten

--
BA NV
IT & Security
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Eliezer Croitoru

2014-09-23 17:41:08 UTC

Permalink

Hey Maarten,

As long as I remember conntrack and conntrack are working together.
Which means that udp traffic will be distinguished the same way as TCP
as long the connection tracking categorized it under the same connection
stream.
(I think for unestablished connection 30 secs and more for an
"established" one)

Eliezer

Post by Maarten
Hi,
until now, i've done multiple ISPs with nexthop default route, 2 extra tables,
ip rule and TCP connmark.
but, how does this involve UDP traffic...
if for example i have in my NAT LAN an NTP server, how would i get the udp
packet out the same interface where it was originally coming in from?
please advise...
Maarten

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Maarten Vanraes

2014-09-24 09:35:59 UTC

Permalink

conntrack and conntrack ? i'm assuming this is a typo?

so, even some kind of odd udp reply will still be the same connection if it's
within 30seconds?

so, i can use connmark on not just TCP, but on all protocols?

Regards,

Maarten

Post by Eliezer Croitoru
Hey Maarten,
As long as I remember conntrack and conntrack are working together.
Which means that udp traffic will be distinguished the same way as TCP
as long the connection tracking categorized it under the same connection
stream.
(I think for unestablished connection 30 secs and more for an
"established" one)
Eliezer

Post by Maarten
Hi,
until now, i've done multiple ISPs with nexthop default route, 2 extra
tables, ip rule and TCP connmark.
but, how does this involve UDP traffic...
if for example i have in my NAT LAN an NTP server, how would i get the udp
packet out the same interface where it was originally coming in from?
please advise...
Maarten

Pascal Hambourg

2014-09-24 09:49:02 UTC

Permalink

=20
so, even some kind of odd udp reply will still be the same connection=

if it's=20

within 30seconds?

Not odd. The reply packet has to match the addresses and ports in the
original packet (with source and destination swapped).

so, i can use connmark on not just TCP, but on all protocols?

Not all protocols, but any protocol implementation which behaves in the
way expected by conntrack.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Maarten Vanraes

2014-09-24 10:16:10 UTC

Permalink

Post by Pascal Hambourg

so, even some kind of odd udp reply will still be the same connecti=

on if

Post by Pascal Hambourg

it's within 30seconds?

=20
Not odd. The reply packet has to match the addresses and ports in the
original packet (with source and destination swapped).
=20

so, i can use connmark on not just TCP, but on all protocols?

=20
Not all protocols, but any protocol implementation which behaves in t=

Post by Pascal Hambourg
way expected by conntrack.

ok, thanks,

so, this is why streaming/voip stuff will still have issues...
--=20
BA NV
IT & Security
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Eliezer Croitoru

2014-09-24 12:38:26 UTC

Permalink

Post by Maarten Vanraes
ok, thanks,
so, this is why streaming/voip stuff will still have issues...

Yes indeed.
and I Meant conntrack and connmark...
VOIP and STREAMING are beasts!!!
There are modules which analyze them and also recognize them but you
will need to enable them first.

The issue is not UDP by itself as you understand.
It's a well known issue with multi IP nat machines in ISPS.
In many cases a SIP proxy helps to fix couple things.
I haven't tried it yet but it seems like there are commercial products
that implement these SIP proxy.

Eliezer
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Maarten Vanraes

2014-09-24 12:52:51 UTC

Permalink

Post by Eliezer Croitoru

Post by Maarten Vanraes
ok, thanks,
so, this is why streaming/voip stuff will still have issues...

i've used siproxd before... but it's limited, i could set up an asterisk in
between, but that might be overkill and i'm not sure i could intercept it
without configuring stuff on the other side...

what kind of modules do you know that help conntracking this kind of stuff?

and... what about ipv6 and multiple ISPs? (but without natting, but still no
bgp or something), won't i still have the same problem?

Regards,

Maarten

Pascal Hambourg

2014-09-26 13:18:42 UTC

Permalink

Post by Eliezer Croitoru
VOIP and STREAMING are beasts!!!
There are modules which analyze them and also recognize them but you
will need to enable them first.

=20
what kind of modules do you know that help conntracking this kind of =

stuff?

=46or SIP : nf_conntrack_sip. There is a nf_conntrack_<protocol> helper
for each supported "complex" protocol (FTP, IRC, PPTP...). Their purpos=
e
is to set the state of the first packet of the data connection to
RELATED, and copy the connmark of the control connection to the data
connection. On a box doing NAT, you also need the related
nf_nat_<protocol> module.

and... what about ipv6 and multiple ISPs? (but without natting, but s=

till no=20

bgp or something), won't i still have the same problem?

Yes.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Maarten Vanraes

2014-09-26 14:02:37 UTC

Permalink

Post by Eliezer Croitoru
VOIP and STREAMING are beasts!!!
There are modules which analyze them and also recognize them but y=

Post by Eliezer Croitoru
will need to enable them first.

=20
what kind of modules do you know that help conntracking this kind o=

stuff?

=20
For SIP : nf_conntrack_sip. There is a nf_conntrack_<protocol> helper
for each supported "complex" protocol (FTP, IRC, PPTP...). Their purp=

ose

is to set the state of the first packet of the data connection to
RELATED, and copy the connmark of the control connection to the data
connection. On a box doing NAT, you also need the related
nf_nat_<protocol> module.
=20

and... what about ipv6 and multiple ISPs? (but without natting, but=

still

no bgp or something), won't i still have the same problem?

=20
Yes.

awesome, this makes it totally clear... thx!
--=20
BA NV
IT & Security
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html