Bridging and iptables SNAT conflict

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by sad_admin on Server Fault See other posts from Server Fault or by sad_admin
Published on 2011-11-20T15:48:19Z Indexed on 2011/11/20 18:01 UTC
Read the original article Hit count: 164

Filed under:
|
|

Hello I am working on a setup here and have it working with one minor exception.

Devices on one side of my bridge aren't getting SNAT'd to the Internet.

The Diagram / Overview:

    Primary_Network (Site_A)
        |
        |

Internet ------- Linux_Bridge_GW (GW) | | Secondary/CoLo Site (Site_B)

Here is the setup:

1.) Site_A has all the production servers and workstations.

2.) Site_B has a set of servers that we would like to fail-over to and also serve our internet facing services from.

3.) GW has two interfaces that are trunked and carrying the appropriate VLAN traffic (allow layer-2 propagation of traffic between sites) //this all works perfectly fine.

4.) The problem that is being encountered is, hosts from Site_B have their default GW at Site_A (same subnet) GW does not have IPs on the VLANs that are being passed.

5.) All hosts at Site_A can reach the Internet without problem.

6.) GW has an addresses on a subnet that is ONLY for Internet destined traffic. (This was done so that Websense would not have to parse unnecessary traffic. We use this VLAN as the monitor port's source on the switch where Websense is sitting).

What I think is happening:

1.) Packet/Frame comes in on physdev at Site_B destined for Internet.

2.) Kernel sees packet, and forwards it out the other side of the bridge to that host's default GW.

3.) Site_A (containing core-network's Default-GW) sees that packet is destined for a host it doesn't know about, so it sends it to it's default GW (the linux bridge, since it's Internet bound).

4.) The kernel says "Hey, I've seen you before" and therefore doesn't do SNAT'ing on the packet and sends it out to the Internet where it's black-holed.

Why I think it's happening:

1.) A tcpdump on the internet facing NIC shows the packet leaving the interface with the private address as it's source.

What I would like:

1.) Have the packet SNAT'd.

2.) Something like the below would be awesome a.) packet comes in from Site_B b.) kernel sees that the packet is NOT destined for itself or any private address c.) kernel says "OK, well since you're destined for the Internet I'm going to send you out this interface rather than forward you to your normal default GW that's WAAAY over there." d.) packet comes in from internet and is sent out the appropriate bridge physdev depending on which site the host it's destined for is at.

Thanks for any assistance or guidance that you are willing to offer.

Best Regards, Sad Admin

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about linux

Related posts about iptables

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle