Can't Connect to the same port from two different machines

Issues related to configuring your network
Post Reply
lethanos
Posts: 2
Joined: 2021/09/16 11:08:27

Can't Connect to the same port from two different machines

Post by lethanos » 2021/09/16 11:33:33

Hello, I am trying to use a CentOS 8 server for routing some internal traffic to some specific addresses on the internet.
While All the machines can connect to the CentOS server, two machines can not access the same port at the same time.

How the traffic is routed looks like this.
--------------------------------------------------------
Local Machine 1: 192.168.1.10 (M1)
Local Machine 2: 192.168.1.11 (M2)

CentOS Server: 192.168.1.20 (COS)

Outside Machine 1: 168.X.X.1 (OM1)
Outside Machine 1: 168.X.X.2 (OM2)
--------------------------------------------------------
All the 192.168.X.X Machines are behind the same NAT and have the same public IP.

192.168.1.20:10000 (COS) Routes traffic to 168.X.X.1:50000 (OM1)
192.168.1.20:10001 (COS) Routes traffic to 168.X.X.2:50000 (OM2)

Commands Used:

Code: Select all

firewall-cmd --add-port=10000/tcp --permanent
firewall-cmd --add-port=10001/tcp --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --permanent --add-forward-port=port=10000:proto=tcp:toport=50000:toaddr=168.X.X.1
firewall-cmd --permanent --add-forward-port=port=10001:proto=tcp:toport=50000:toaddr=168.X.X.2
firewall-cmd --reload

192.168.1.10 (M1) connects to port 10000 of 192.168.1.20 (COS) the traffic is routed to 168.X.X.1 (OM1) Port 50000.
192.168.1.11 (M2) connects to port 10001 of 192.168.1.20 (COS) the traffic is routed to 168.X.X.2 (OM2) Port 50000.

But when.
192.168.1.10 (M1) connects to port 10000 of 192.168.1.20 (COS) the traffic is routed to 168.X.X.1 (OM1) Port 50000
and
192.168.1.11 (M2) connects to port 10000 of 192.168.1.20 (COS) I receive "curl: (7) Failed to connect to 192.168.1.20 port 10000: Timed out"

It should be noted that the same issue happens when I try to connect from (M1) and (M2) to (OM1) at the same time directly, I was hopping using (COS) as a middle man it would solve the issue but I again receive the same error, Could be an issue with the (OM1) but the weird part is that (M1) creates 100s of concurrent connections to (OM1) with no errors or problems.

BShT
Posts: 583
Joined: 2019/10/09 12:31:40

Re: Can't Connect to the same port from two different machines

Post by BShT » 2021/09/16 14:44:33

iptables -t nat -A PREROUTING -p tcp --dport 10000 -j DNAT --to-destination 168.X.X.1:50000

iptables -t nat -A PREROUTING -p tcp --dport 10001 -j DNAT --to-destination 168.X.X.2:50000

lethanos
Posts: 2
Joined: 2021/09/16 11:08:27

Re: Can't Connect to the same port from two different machines

Post by lethanos » 2021/09/20 13:36:14

BShT wrote:
2021/09/16 14:44:33
iptables -t nat -A PREROUTING -p tcp --dport 10000 -j DNAT --to-destination 168.X.X.1:50000

iptables -t nat -A PREROUTING -p tcp --dport 10001 -j DNAT --to-destination 168.X.X.2:50000
if I am not mistaken firewalld disables iptables and vice versa on centos7/8. Running these commands does nothing unless installing iptables-services which will disable firewalld and take control of how the network interface will route the traffic. I have tried in the past to use iptables in ubuntu/centos but with no success.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Can't Connect to the same port from two different machines

Post by jlehtone » 2021/09/21 14:45:16

First some notes:
  • Kernel of el7 has netfilter. It has "iptables rules". Those can be added with 'iptables' or 'firewall-cmd'.
  • Kernel of el8 has nftables. It has "nftables rules". Those can be added with 'nft' or 'firewall-cmd' ... and 'iptables'.
    However, the 'iptables' in el8 is only a wrapper of 'nft' that translates "iptables syntax" into "nft syntax".
  • If two tools add rules to kernel, they are most likely unaware of each other and assume that existing rules are as they did write. That creates chaos.
  • The FirewallD is not suitable for "complex cases", according to Red Hat and FirewallD's developers. (Future version supports routing, but is not in el8.)
  • FirewallD has "Rich Rules" and "Direct rules"/"Passthrough" to go around some of its limitations. The latter still use the "iptables syntax", which places those additional rules to different tables/chains than most of FirewallD's ruleset. (The nftables is more flexible than netfilter.)
  • Command, like firewall-cmd --add-forward-port generates multiple netfilter/nftables-rules.
  • A nftables ruleset for a router can be really short. See https://wiki.gentoo.org/wiki/Nftables/Examples
  • There is nftables.service to replace firewalld.service
lethanos wrote:
2021/09/16 11:33:33
How the traffic is routed looks like this.
--------------------------------------------------------
Local Machine 1: 192.168.1.10 (M1)
Local Machine 2: 192.168.1.11 (M2)

CentOS Server: 192.168.1.20 (COS)

Outside Machine 1: 168.X.X.1 (OM1)
Outside Machine 1: 168.X.X.2 (OM2)
--------------------------------------------------------
All the 192.168.X.X Machines are behind the same NAT and have the same public IP.

192.168.1.20:10000 (COS) Routes traffic to 168.X.X.1:50000 (OM1)
192.168.1.20:10001 (COS) Routes traffic to 168.X.X.2:50000 (OM2)
Who/where is the NAT? Is it different from COS?

If it is different from COS, then you indeed need SNAT on COS, but that SNAT should probably limit to the forwarded traffic only.

The COS does not actually need to open ports for "INPUT". The port forward does, at least:
1. Create (pre-routing) DNAT
2. Allow forward from source to (DNATed) destination


What does the service at OM1:50000 do when same client attempts to form two connections simultaneously?
Or ... can M2 create connections to OM1 when M1 is not connected?

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Can't Connect to the same port from two different machines

Post by TrevorH » 2021/09/21 15:41:03

if I am not mistaken firewalld disables iptables and vice versa on centos7/8
Yes, you are mistaken. You can have iptables and iptables-services installed on both CentOS 7 and 8 yet still run firewalld. Yes, you have to disable the iptables.service which means there's not much point in having the iptables-service package installed but the iptables command is not part of that anyway. You can then use the iptables command to list the (native on el7) iptables rules or the interpreted nftables rules on el8.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply