1
Hi i have trouble connecting to server that i had setup with DNAT configuration.
i have two listening servers 145.217 and 145.241 both have configured their gateway ip same as my loadbalancer ip 145.245
below are my iptables and netstat detail. the following content is by running netstat -nr from my AIX servers (145.217 and 145.241)
root@CMS-HTTP2-dep2(/)# netstat -nr
Routing tables
Destination Gateway Flags Refs Use If Exp Groups
Route Tree for Protocol Family 2 (Internet):
default xxx.xxx.145.245 UG 4 3863 en0 - - =>
default xxx.xxx.145.1 UG 2 654 en0 - -
xxx.xxx.0.0 xxx.xxx.145.217 UHSb 0 0 en0 - - =>
xxx.xxx/16 xxx.xxx.145.217 U 28 339523 en0 - -
xx.xxx.255.255 xxx.xxx.145.217 UHSb 0 8 en0 - -
127/8 127.0.0.1 U 5 228443 lo0 - -
and the following are added to my iptables in my load balancer(145.245)
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere mark match 0x200 /* FARM_ATMC_0_ */ to:xxxxxx.145.217:8889
DNAT tcp -- anywhere anywhere mark match 0x201 /* FARM_ATMC_1_ */ to:xxxxxx.145.241:8889
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
I can telnet in to my servers if i add
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
but that defeats purpose of DNAT as i need to get the real incoming ip
Please let me know if i need to provide further details as i am very new to networking
EDIT: More info ............ the following is the tcpdump i get from my listening server 145.241 which indicates that the telnet message indeed reach it throught the loadbalancer
root@CMS-HTTP1-dep2(/)# tcpdump -vv -x -X -s 1500 -i en0 'port 8889'
tcpdump: listening on en0, link-type 1, capture size 1500 bytes
06:11:37.034781 IP (tos 0x0, ttl 127, id 3352, offset 0, flags [DF], proto: TCP (6), length: 56) xxx.xxx.145.247.55645 > CMS-HTTP1-dep2.ddi-tcp-2: S, cksum 0x8e84 (correct) 1949565717:1949565717(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK,nop,opt-14:03>
0x0000: 4500 0038 0d18 4000 7f06 b591 0a97 91f7 E..8..@...▒....▒
0x0010: 0a97 91f1 d95d 22b9 7434 0315 0000 0000 ...▒▒]"▒t4......
0x0020: 9002 2000 8e84 0000 0204 05b4 0103 0308 ...........▒....
0x0030: 0101 0402 010e 0303 ........
06:11:37.034839 IP (tos 0x0, ttl 60, id 41150, offset 0, flags [none], proto: TCP (6), length: 48) CMS-HTTP1-dep2.ddi-tcp-2 > xxx.xxx.145.247.55645: S, cksum 0xf418 (correct) 2780642750:2780642750(0) ack 1949565718 win 65535 <mss 1460,nop,wscale 3>
0x0000: 4500 0030 a0be 0000 3c06 a4f3 0a97 91f1 E..0▒▒..<.▒▒...▒
0x0010: 0a97 91f7 22b9 d95d a5bd 3dbe 7434 0316 ...▒"▒▒]▒▒=▒t4..
0x0020: 7012 ffff f418 0000 0204 05b4 0103 0303 p.▒▒▒......▒....
06:11:37.035222 IP (tos 0x0, ttl 128, id 3474, offset 0, flags [DF], proto: TCP (6), length: 40) xxx.xxx.145.247.55645 > CMS-HTTP1-dep2.ddi-tcp-2: R, cksum 0x8c1e (correct) 1949565718:1949565718(0) win 0
0x0000: 4500 0028 0d92 4000 8006 b427 0a97 91f7 E..(..@...▒'...▒
0x0010: 0a97 91f1 d95d 22b9 7434 0316 7434 0316 ...▒▒]"▒t4..t4..
0x0020: 5004 0000 8c1e 0000 0000 0000 0000 P.............
thanks and regards
user1852471
Posted 2016-11-19T11:13:42.360
Reputation: 11
What is your actual question? – DavidPostill – 2016-11-19T13:06:44.900
I setup a dnat environment, however my incoming message cannot go through. tcpdump suggest that it received the message, i suspect that somehow the dnat setup is not configured properly and i need some help to debug/solve the issue – user1852471 – 2016-11-19T14:37:53.903
You have two 'default routes' - one goes to the load-balancer and one goes to x.y.z.1. Is the load-balancer intended for outgoing traffic - of everything. Not used one myself, but I thought a load-balancer was re-directing traffic from somewhere to one of multiple destinations. THEN I would not expect the load-balancer to be one of my default routers - for my replies unless the reply - through NAT - goes back to the balancer and it restores the original requester IP address. SO, what happens if you
route delete net default x.y.z.245? – Michael Felt – 2016-11-24T18:16:00.783For DNAT Configuration, the requester cannot be in the same network as the servers or the router(load balancer).. after that i can telnet into the network. @Micheal Felt thanks for the suggestion already removed one of the default gateway, the internal servers gateway will the the router ip now – user1852471 – 2016-11-28T22:17:02.940