0 C
New York
Sunday, January 12, 2025

routing – Why do packets with the identical vacation spot IP arriving over two totally different interfaces get despatched to the identical service, regardless that I DNAT them in a different way?


I’m working two Linux machines, A (native) and B (distant). On every machine I’ve two tun units: tun0 and tun1. I’ve used ssh -w n:n to create a tunnel between tun0 (IP 10.42.0.1 on A) and tun0 (IP 10.42.0.2 on B), and between tun1 (IP 10.42.0.3 on A) and tun1 (IP 10.42.0.4 on B).

On B, I’ve the next iptables guidelines:

sudo iptables -t mangle -A PREROUTING -d 239.0.0.2 --protocol udp --destination-port 23000 -j TEE --gateway 172.21.0.3
sudo iptables -t mangle -A PREROUTING -d 239.0.0.2 --protocol udp --destination-port 23000 -j TEE --gateway 172.19.0.2

I’ve used ip route to inform B to route requests to 172.21.0.3 over tun1 and requests for 172.19.0.2 over tun0:

sudo ip route add 172.21.0.3 through 10.42.0.3
sudo ip route add 172.19.0.2 through 10.42.0.1

And on A, I’ve the next iptables guidelines:

sudo iptables -t nat -A PREROUTING -p udp --dport 23000 -i tun1 -j DNAT --to 172.21.0.3 2>/dev/null
sudo iptables -t nat -A PREROUTING -p udp --dport 23000 -i tun0 -j DNAT --to 172.19.0.2 2>/dev/null

Collectively, I might anticipate these guidelines to outcome within the following conduct: Packets despatched to 239.0.0.2 on B get duplicated and despatched to tun0 and tun1 on A. Packets arriving at tun0 on A get DNAT’ed to stream to 172.19.0.2, and packets arriving at tun1 on A get DNAT’ed to stream to 172.21.0.3.

That is nearly what occurs. Besides as a substitute, once I begin my Docker container with IP handle of 172.19.0.2 and my Docker container with IP handle of 172.21.0.3 on A, I see UDP visitors stream to both 172.19.0.2 or 172.21.0.3 (relying on which one began first).

I’ve confirmed with sudo iptables -t nat -L PREROUTING -nv that I am seeing packets get DNAT’ed by each guidelines. However once I use pwru to comply with packets certain to the host that’s receiving packets: pwru 'dst host 172.19.0.2 and udp and dst port 23000' I see that visitors from each tun0 and from tun1 is getting despatched to 172.19.0.2.

Why would this be the case? Does my kernel do some sort of caching of routes that supersedes this DNAT rule?

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles