Skip to main content

IPTables Magic

Blog Post after a long long time. Will be trying to write most of the crazy stuffs done in the past 1.5 years at the sad server

This post is going to cover a bunch of hacks done with iptables to improve / make the most out of linux systems' network performance

IPTables Tee
We are building a packet analysis team which does deep inspection of packets and determine anomalies in the system and determine the slowest performing component in the pipeline. Now sending the raw packets to centralized packet analysis system without affecting the performance of the production system is one of our requirements. We decided to use the iptables tee feature which takes a copy of the packet matching the rule and pass it on to the requested gateway in the same network by just changing the mac address on the cloned packet. The original packet follows the normal process

So lets create a similar setup, my laptop is going to forward a copy of http traffic to raspberry pi in the same network. Make sure ip_forward is turned off at the gateway box(box to which copy of packets are forwarded), here raspberry pi. With ip_forward on, we can cause multiple copies of  packets to be routed in network, tcp will kick in congestion control mechanisms seeing retransmissions. Packets are to be blackholed at the raspberry pi, it can do processing there but should not inject it to the network back conflicting with the original packet. IPtable rules at my box for the forwarding
sudo iptables -t mangle -A INPUT -p tcp --sport 80 -j TEE --gateway 192.168.0.104;sudo iptables -t mangle -A OUTPUT -p tcp --dport 80 -j TEE --gateway 192.168.0.104
Here 192.168.0.104 is the IP of raspberry pi. At Prerouting chain we route the incoming packet, http response and at the output chain we  route the outgoing packet, http request. When I ran tcpdump in the raspberry pi while opening test.com in my laptop this is the flow I got




Raspberry pi became the sniffer, it sees all http traffic flowing to/from my box

IPTABLES as LoadBalancer

This is completely inspired from Kubernetes infrastructure. Lets run two webservers in raspberry pi at port 81 and 82. Lets add iptable rules to roundrobin traffic between these two webservers in my laptop. VIP will be my laptop's ip(192.168.0.112) and port 80, Backends will be pi's ip(192.168.0.104) and port 81/82

iptables -t nat -A PREROUTING -p tcp  --dport 80 -m state --state NEW -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 192.168.0.104:81
iptables -t nat -A PREROUTING -p tcp  --dport 80 -m state --state NEW  -j DNAT --to-destination 192.168.0.104:82
iptables -t nat -A POSTROUTING -k MASQUERADE

First two rules is to DNAT the packets to the  backend. The caveat is first rule matches only every 2nd packet, those packets wont follow prerouting chain then. Second rule will match all packets which don't match 1st rule
3rd rule is to SNAT so that actual client ip is replaced by laptop's ip so that backend don't respond to client directly




Comments

Post a Comment

Popular posts from this blog

How we have systematically improved the roads our packets travel to help data imports and exports flourish

This blog post is an account of how we have toiled over the years to improve the throughput of our interDC tunnels. I joined this company around 2012. We were scaling aggressively then. We quickly expanded to 4 DCs with a mixture of AWS and colocation. Our primary DC is connected to all these new DCs via IPSEC tunnels established from SRX. The SRX model we had, had an IPSEC throughput of 350Mbps. Around December 2015 we saturated the SRX. Buying SRX was an option on the table. Buying one with 2Gbps throughput would have cut the story short. The tech team didn't see it happening. I don't have an answer to the question, "Is it worth spending time in solving a problem if a solution is already available out of box?" This project helped us in improving our critical thinking and in experiencing the theoretical network fundamentals on live traffic, but also caused us quite a bit of fatigue due to management overhead. Cutting short the philosophy, lets jump to the story. ...
8 comments
Read more

LXC and Host Crashes

 We had set up a bunch of lxc containers on two servers each with 16 core CPUs and 64 GB RAM(for reliability and loadbalancing). Both the servers are on same vlan. The servers need to have atleast one of their network interface in promiscuous mode so that it forwards all packets on vlan to the bridge( http://blogs.eskratch.com/2012/10/create-your-own-vms-i.html ) which takes care of the routing to containers. If the packets are not addressed to the containers, the bridge drops the packet. Having this setup, we moved all our platform maintenance services to these containers. They are fault tolerant as we used two host machines where each host machine has a replica of the containers on the other. The probability to crash for both the servers at the same time due to some hardware/software failure is less. But to my surprise both the servers are crashing exactly the same time with a mean life time 20 days. We had to wake up late nights(early mornings) to fix stuffs that go...
Post a Comment
Read more

The FB outage

 This outage has caused considerable noise everywhere. It was quite discomforting for me because during the whole conversation nobody bothered to understand the gravity of the issue. I don't expect end users to understand the issue. But this is going to be a blogpost for all of those in the tech field, Such an event can happen how much ever chaos engineering, best of the tech jargon we implement in the stack To all my Site Reliability Engineer friends, Site Up is our first priority. I myself said many a times outage is news and SREs should prevent outage. But I'm afraid this is leading to a cult in the industry who despises outages and takes no learnings from it. I don't know what has happened in Facebook. I can explain a scenario which may or may not be right but that can definitely show the gravity of the issue. Let's draw a probable Facebook architecture Disclaimer I don't work at Facebook. So this might not be how facebook routes traffic. This is based on my exp...
2 comments
Read more