Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Splitting TCP connection or "MPTCP router" - any ideas?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
orion777
Apprentice
Apprentice


Joined: 15 Mar 2017
Posts: 163
Location: Riga, Latvia

PostPosted: Sat Sep 01, 2018 8:22 am    Post subject: Splitting TCP connection or "MPTCP router" - any i Reply with quote

I have two gentoo running machines, both with Multipath TCP (MPTCP) implementation in its kernels. When these machines are connecting one to other via WAN they are able to use multipath TCP because BOTH are MP_Capable. However, if I make TCP connection from the windows machine thru the first gentoo machine to the second gentoo machine (1st gentoo also have shorewall nat server), the TCP session is established between windows and 2nd gentoo, so Multipath TCP in not possible because windows machine has no MPTCP, so it can't send MP_Capable flag during TCP session establishment.

As I understood, to be able to use Multipath TCP between gentoo machines, the TCP session from the Windows machine should be terminated at 1st gentoo, then 1st gentoo recreates TCP session to the 2nd gentoo. Recreated TCP session will have MP_Capable flag (as gentoo machine is MP_Capable) and multipath should work.

The question is: How to do this TCP session splitting? My suggestion is to use SOCKS Proxy on the 1st gentoo machine. This socks proxy must be transparent, because windows machine have no options to use proxies. (Shorewall nat server does not split the TCP sessions (and should not do this))

In fact, I have to run only one TCP session over a specific port that should be MP_Capable. All other windows machine traffic may remain in regular TCP. Both gentoo machines has fixed WAN IP addresses ,windows machine is in LAN and is connected via wireless to the 1st gentoo.

Illustration of the idea:
https://ibb.co/fMO94e

I'm dummy, so I will be happy to read any suggestions!
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Sat Sep 01, 2018 4:46 pm    Post subject: Reply with quote

If it is just one specific port, you can hijack the connection and throw it at your local proxy, which will then open another TCP connection.
TCP connection itself does not carry information about destination though, so you must know that one in advance to configure your proxy.
Still, this may be good enough for your particular use case.

Regarding tools to use... Hijack connection with iptables and forward e.g. with haproxy. Mind that you have to specify tcp mode explicitly. AFAIR http is the default.
Back to top
View user's profile Send private message
orion777
Apprentice
Apprentice


Joined: 15 Mar 2017
Posts: 163
Location: Riga, Latvia

PostPosted: Sat Sep 08, 2018 8:11 am    Post subject: Reply with quote

So, I have to forward TCP connections made on port 14550 from the LAN NIC to the WAN NIC and further to the destination in the WAN network.

So the haproxy configurations should look like this? as per example on the https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#2.5
Code:
pi64 /etc/haproxy # cat haproxy.cfg
global
    daemon
    maxconn 10

defaults
    mode tcp
    timeout connect 50000ms
    timeout client 100000ms
    timeout server 100000ms

frontend tcp-in
    bind *:14550
    default_backend servers

backend servers
    server server1 213.100.160.90:14550 maxconn 32
pi64

The idea is to forward all incoming connections on the port 14550 made from any LAN IP (windows machine) to the destination in the WAN 213.100.160.90:14550
But this configuration has no data about what NIC is WAN and what NIC is LAN and so.. So I'm really not sure that such config is correct.
Back to top
View user's profile Send private message
orion777
Apprentice
Apprentice


Joined: 15 Mar 2017
Posts: 163
Location: Riga, Latvia

PostPosted: Mon Sep 24, 2018 8:07 am    Post subject: Reply with quote

1) The answer on "how to build the MPTCP router" is to use some transparent socks5 proxy. The proxy will re-create TCP connection and applies MPTCP capability.

2) I still unable to deal with SINGLE port forwarding. I was trying haproxy and rinetd on my NAT server. The rinetd config is quite simple: bindaddress bindport connectaddress connectport, so I was entering: 192.168.10.1 14550 213.100.0.20 14550. The connection from the LAN was made to 192.168.10.1:14550 in assumption that it will be redirected to 213.100.0.20:14550, but the connection fails quickly; rinetd log file also remains empty.

So maybe the case in the NAT server implementation in parallel with the rinetd? It uses shorewall, prepared per this tutorial https://wiki.gentoo.org/wiki/Ethernet_plus_WiFi_Bridge_Router_and_Firewall#Configure_shorewall . Is it possible to exclude only single port 14550 from the shorewall operation?
Code:
/etc/shorewall/interfacesBasic
#ZONE   INTERFACE       OPTIONS
net     enp4s0          tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc     br0             dhcp,tcpflags,nosmurfs,routefilter,logmartians

Code:
/etc/shorewall/policyBasic
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
$FW             net             ACCEPT
loc             net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum