tcpiptables

DNAT translation in iptables for TCP connections


Suppose I have a DNAT rule which forwards TCP packets, destined for frontend IP, to a backend IP, which is a server say server1. This backend server1 is up and running and we have an already established TCP connection. Client is sending and receiving packets to the frontend IP which is being DNATed to the server1 IP.

Now if, the there is a new backend server say server2 and the rule is deleted and a new DNAT rule is added with a server2's backend IP, simultaneously the server1 is also up. As I understand new attempt to connect to frontend IP with TCP will be DNATed to server2. But what would happen to already established connections to server1? Based on my observation the client is sending TCP packets to server1 even though iptables rules are tcp to server2 on the system where client is running.


Solution

  • Looks like the answer is as following:

    This table is slightly different from the filter table, in that only the first packet of a new connection will traverse the table: the result of this traversal is then applied to all future packets in the same connection.

    Mentioned in https://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-3.html#ss3.2