Practical Case I: Understanding layer 4 NAT and DNAT load balancing

POSTED ON 20 September, 2017

These practical cases are a training guide to understand better how networking, security and high availability technologies work.

Firstly, try the following exercise:

Step 1. Install Zevenet CE from GIT, SF or Docker
            https://www.zevenet.com/community

Step 2. Create L4xNAT farm with 2 backends and NAT or DNAT mode
            https://www.zevenet.com/knowledge-base/

Step 3. Execute in a console of Zevenet CE and try to understand the result of:
            root# iptables -t mangle -n -L
            root# iptables -t nat -n -L

Doubts and comments in the official mailing list!

Answer

The load balancer is a network device in charge of ensure the traffic flow between the client and the backends or real servers, so 4 steps will be taken care in order to ensure the flows, packet per packet of the connection at layer 4:

Load_Balancer_l4_packet_flows

1. The packet from the client is sent from the client to the load balancer
2. The packet is sent from the load balancer to one selected real server or backend
3. The packet replies from the server to the load balancer
4. The packet is sent back to the client as a response

Zevenet layer 4 (LSLB – L4xNAT profiles) handle all these packets using netfilter subsystem through iptables and the network routing system.

For this reason, when configuring a DNAT mode farm and execute the iptables commands we can find rules generated in the tables mangle and nat of netfilter. Further information about Netfilter tables here .

In the PREROUTING chain of the mangle table it’s shown the rules that matches:

– All incoming packets from all sources or clients which destination is the virtual address and port of the service (in the example will be 192.168.101.250:443)
– Then mark the packets according to a certain algorithm, in this case is a weight based on a probability method.

root@zevenet:~# iptables -L -t mangle -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0            CONNMARK restore
MARK       tcp  --  0.0.0.0/0            192.168.101.250      statistic mode random probability 1.00000000000 multiport dports 443 /*  FARM_app_1_  */ MARK set 0x20d
MARK       tcp  --  0.0.0.0/0            192.168.101.250      statistic mode random probability 0.50000000000 multiport dports 443 /*  FARM_app_0_  */ MARK set 0x20c
CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0            state NEW CONNMARK save

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Now that the incoming packets are marked, in the PREROUTING chain of the nat table we use the packet mark in order to change the destination address of the packet to one backend or another. For this example, the IP addresses 192.168.1.10 and 192.168.1.11 are the real servers.

root@zevenet:~# iptables -L -t nat -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            mark match 0x20c /*  FARM_app_0_  */ to:192.168.1.10:443
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            mark match 0x20d /*  FARM_app_1_  */ to:192.168.1.11:443

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

The conntrack table manages the destination address translation and in the DNAT mode, the return packet is managed by routes as the load balancer will be the default gateway of the backends.

In the case of NAT, or SNAT as it’s commonly known, the conntrack manages not only the destination address translation but also the source address translation. In this case, the only difference with DNAT is that the replied packet it’s not managed by the routing system but by the conntrack table. So we can find just 2 new rules in the POSTROUTING chain of the nat table in order to perform the MASQUERADING with the virtual IP address of the farm.

root@zevenet:~# iptables -L -t nat -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            mark match 0x20c /*  FARM_app_0_  */ to:192.168.1.10:443
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            mark match 0x20d /*  FARM_app_1_  */ to:192.168.1.11:443

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            mark match 0x20c /*  FARM_app_0_  */ to:192.168.101.250
SNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            mark match 0x20d /*  FARM_app_1_  */ to:192.168.101.250

Further doubts? Ask to the mailing list!

Share on:

Documentation under the terms of the GNU Free Documentation License.

Was this article helpful?

Related Articles