--- Log opened Thu Jan 12 00:00:43 2017
01:29 -!- aestetix [~aestetix@phalse.2600.com] has quit [Ping timeout: 272 seconds]
01:32 -!- aestetix [~aestetix@phalse.2600.com] has joined #se2600
01:45 -!- aestetix [~aestetix@phalse.2600.com] has quit [Ping timeout: 240 seconds]
01:49 -!- aestetix [~aestetix@phalse.2600.com] has joined #se2600
06:24 <@Dolemite> mr0ning, be0tches and h0ez!
06:36 < xray> mornin
07:42 -!- sicsscam_ [~sicsscam@24.154.70.234] has joined #se2600
07:46 -!- sicsscam [~sicsscam@24.154.70.234] has quit [Ping timeout: 240 seconds]
07:47 -!- fie [~fie@31.7.59.226] has quit [Ping timeout: 240 seconds]
08:01 -!- fie [~fie@31.7.59.226] has joined #se2600
08:23 -!- fie [~fie@31.7.59.226] has quit [Ping timeout: 260 seconds]
08:45 < aestetix> ok
08:45 < aestetix> networking question
08:46 < aestetix> I have iptable set up to take traffic coming in from client A to server B, and forward it to server C
08:46 < aestetix> but I want server C to put client A's ip address in the log files
08:46 < aestetix> using masquerade allowed the forwarding to work, but also put server B's address in the logs
09:18 < aestetix> no bites?
09:23 <@Evilpig> don't think you can do that because the only IP that server c is seeing is that of B
09:24 < aestetix> hmm
09:24 < aestetix> is there any way to do this with routing?
09:24 <@Evilpig> it isn't like forwarding an apache log
09:24 < aestetix> I mean if A goes to B and then C and then back to A I don't care
09:26 < aestetix> Put another way, I want server B to just be sort of a repeater that sends traffic along
09:28 < aestetix> Evilpig: msg
09:47 < rattle> If B is a router, then you can keep A source.  If B is a proxy, you can't.
09:48 < aestetix> rattle: then I want to use B as a router
09:48 < rattle> If it is a proxy, depending on the protocol, there are other ways to get proper logging.  SMTP and HTTP allows for headers that contain origination IPs which you could log on rather than IP source.
09:50 < rattle> For an example..  If you have a Varnish proxy terminating web traffic to backend servers, but you want to have the backend servers have proper routing..  You have Varnish add the X-Forwarded-For header, and adjust your logging on the backend servers to log the X-Forwarded-For IP rather than the TCP source IP.
09:50 < rattle> s/have proper routing/have proper logging/
09:51 < aestetix> Ok, so is there a simple way I can set up linux routing tables so that everything coming in with destination X in mind, it redirects it to destination Y, changing the destination and nothing else?
09:52 < rattle> NAT.
09:52 < aestetix> but NAT changes the source ip
09:53 < rattle> No.
09:53 < rattle> S-NAT changes source IP.  D-NAT changes destination.
09:53 < rattle> The only time S-NAT is actually required is when doing a u-turn.
09:54 < aestetix> Ok. So if I have iptables set using DNAT to change the destination, and to forward the packet along, why doesn't it come back to the client?
09:54 < aestetix> The only way I can get it to work is using masquerade, which rewrites the origin ip
10:03 < rattle> That will always be the case for hosts behind the same gateway.  Typically you need two NAT rules.  One D-NAT for external to internal traffic, and an additional S-NAT for internal to internal traffic using the external address.
10:04 < aestetix> Ok. All the IP addresses involved are external addresses.
10:04 < rattle> Then you're just doing something wrong.
10:04 < rattle> Rather..  If _all_ are external addresses, than nothing you are doing makes any sense.
10:05 < aestetix> I'm getting traffic to a host machine that has a guest VM, both with external NICs
10:06 < aestetix> At this point I guess it makes more sense to route the traffic from the host machine to the internal guest vm ip
10:06 < aestetix> which defeats the whole point of having an external nic on that load balancer
10:06 < rattle> I'm getting this feeling you missed networking 101.
10:06 < aestetix> Yep.
10:06 < aestetix> I've never been good with networking.
10:06 < rattle> 31337
10:07 < aestetix> Although this particular setup is hetzner's fault
10:07 <@Dolemite> He apparently got an A+ in Clusterfuck 101
10:07 < rattle> Transference.  That's a good start.
10:07 < aestetix> Ok. How would you guys set this up.
10:08 < rattle> I'd have a gateway.  And I'd have my hosts behind the gateway.  I'd have the gateway exercise a security policy for what traffic is allowed, and network address translation to facilitate routing flow.
10:09 < rattle> And if I had my way, I'd be back in 1994 too..  Because all that existed then and the music was better.
10:09 < aestetix> Ok. Can can the host machine server as the gateway?
10:09 < aestetix> And can*
10:10 < rattle> Why would you want to do that?
10:10 < rattle> If the host machine is on an Internet accessible device, there's no need for NAT.  Just traffic policy.
10:10 < aestetix> I have a failover ip I want to match with the load balancer
10:10 < rattle> You can in theory use virtual routers, loopbacks, and whatnot..  But I think that's a bit above your pay grade.
10:11 < rattle> And you're trying to do this all on one host?  What are you load balancing?
10:11 < rattle> Multiple VMs on one host?
10:11 < aestetix> yes
10:11 < aestetix> well a bunch of vms, across several hosts
10:12 < aestetix> they're mostly connected via tinc
10:12 <@Dolemite> But it sounds like you have at least one VM on the same physical host as the gateway
10:12 < rattle> Ok.  Use the hypervisor for NOTHING other than running the VMs.  Have a VM for your gateway.  Give the gateway an interface on the public net, and one on a virtual net which your other VMs live in.  Then just approach it like a traditional networking problem.
10:12 <@Dolemite> Is that correct?
10:13 < rattle> If it's spread across multiple hosts, use VLANs.
10:13 < aestetix> tinc == a vlan
10:13 < aestetix> rattle: that would be ideal. But I can't do that.
10:13 < rattle> Then you're fucked.
10:14 < aestetix> Because their fucking failover ips can only bind to the real ip of the host system
10:14 < rattle> You really don't want to be using the hypervisor for network routing unless it's simply an outbound NAT.
10:14 < rattle> Then give the real IP of the hypervisor an RFC1918 address.  Use the real IP on a virtual interface of your gateway VM.
10:15 < aestetix> http://serverfault.com/questions/488077/xen-xcp-route-failover-ip-to-guest
10:15 < PigBot> Title: routing - Xen XCP: Route failover IP to Guest - Server Fault (at serverfault.com) http://tinyurl.com/jg85gbs
10:15 < aestetix> this sort of describes the issue
10:15 < rattle> There is zero reason to have a hypervisor accessible on a public address anyway.
10:15 < aestetix> rattle: that's what I wanted to do, and they said they can't
10:16 < rattle> So it's all kludgery.  Good luck with that.
10:16 < aestetix> maybe that page describes the issue better than I can
10:16 < aestetix> ok so it's not just me
10:16 < aestetix> well I mean it's partially me
10:18 < rattle> What's the type of traffic being terminated?
10:18 < aestetix> Almost all port 80 and 443
10:19 < rattle> Just bypass the whole problem..  Use Varnish to broker the connections on the host with the real IP to the VMs on RFC1918.  Use the logging from Varnish, and ignore the logging on the backends.
10:20 < rattle> Either way, it's all kludgy.
10:20 < aestetix> I was debating that.
10:20 < aestetix> or nginx with proxy_pass
10:20 < aestetix> But it seemed somehow immoral
10:20 < rattle> Just terminate the traffic at a smart proxy or some type..  nginx or varnish are your best bets.
10:21 < rattle> Redirect as necessary..  Don't bother with NAT at all.
10:21 < aestetix> Ok then.
10:21 < aestetix> It's horrible practice, but...
10:21 < rattle> Actually, bringing your traffic into a proxy before going to its eventual backends _is_ best practice in all cases.
10:21 < aestetix> well the load balancers are running haproxy
10:21 <@Mirage> what about something like Linux-HA?
10:22 < rattle> If caching is a goal, varnish.  If not, or ssl offload is a thing, use nginx.
10:22 < aestetix> oh that's interesting
10:22 <@Mirage> I guess I should ask:  Are you just wanting to failover if one goes down or wanting to actually balance based on load?
10:22 < aestetix> my xen host is ALREADY running nginx
10:23 < aestetix> I see I'm not the first one to encounter this mess
10:25 < aestetix> I just died a little inside
10:40 <@Dolemite> Oh, God.  Please let this be fake news.
10:40 <@Dolemite> http://gizmodo.com/rudy-giuliani-is-forming-a-cybersecurity-team-for-trump-1791109633
10:40 < PigBot> Dolemite: That URL appears to have no HTML title within the first 30480 bytes.
10:41 <@Dolemite> Oh, wait, I get it
10:41 <@Dolemite> The war on soft drinks in NYC is actually a war on hackers, because as we learned during the campaign, they are mostly 400 lb. 30 year olds living in their parents' basement.
10:41 <@Dolemite> Get rid of the 400 lb people and there are no more hackers.
10:41 <@Dolemite> BRILLIANT
10:47 < aestetix> well on the plus side
10:47 < aestetix> I'm far better with nginx than iptables
10:47 < aestetix> nginx is just annoying. iptables is a monster
10:55 < rattle> Coming soon, stop-and-frisk on the Internet.
10:56 < dfused> oooh myyyy ...mmmmmMMMmmmm
11:22 < oddball> Dolemite: You've seen what they've done in Philly re: soft drinks, right?
11:22 <@Dolemite> Yep
11:22 <@Dolemite> Price gouging!  That's the problem!
11:22 < oddball> Clearly!
11:22 < cyberanger> I felt like that when I crossed the border last time. Guess US CBP thought I went to meet Canadian Terrorists or something.
11:23 -!- mode/#se2600 [+o oddball] by ChanServ
12:01 < aestetix> ok so rattle one final attempt at this
12:02 < aestetix> if the traffic goes in the host, gets routed locally to a load balancer that's a guest, is it possible to retain the original ip?
12:02 < aestetix> I'm guessing at this point no, and I need to figure out a solution that is not shitty
12:02 < rattle> Since it's web, why don't you just get the origin IP from the X-Forwarded-For header?
12:03  * aestetix cries
12:04 < aestetix> I think I'm going to cheer up by watching the Trump press conference I missed
12:11 < aestetix> "The Trump brand is key to the value of the organizations assets"
12:18 < aestetix> so I just saw the news about Rudy
12:19 < aestetix> At this point I think it's fair to ask if Trump is consulting a magic 8 ball for these appointments
12:23 < sol1d> maybe outsourcing it to Dancing Bear over the 8 ball
12:41 < aestetix> rattle: one thing I like about Trump
12:41 < aestetix> he's pissed about OPM
12:41 < aestetix> that might actually see some action
12:46 < rattle> I wouldn't count on it.
12:46 < rattle> So far, this is the only good thing to come of Trump's election:  http://www.foxnews.com/entertainment/2017/01/11/u2-delaying-album-release-say-need-breathing-space-to-reassess-after-trump-win.html
12:46 < PigBot> Title: U2 delaying album release, say they need 'breathing space' to reassess after Trump win | Fox News (at www.foxnews.com) http://tinyurl.com/zkvkv5a
12:49 < aestetix> And the ultimate blow to Obama: Gitmo is still open
13:12 <@Evilpig> that's the ultimate blow?  trump getting elected seemed like it was already occupying that position
13:17 < aestetix> well fuck me
13:17 < aestetix> https://www.nytimes.com/2017/01/12/us/politics/james-comey-fbi-inspector-general-hillary-clinton.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=a-lede-package-region&region=top-news&WT.nav=top-news
13:17 < PigBot> "Couldn't snarf url: HTTP Error 303: The HTTP server returned a redirect error that would lead to an infinite loop.\nThe last 30x error message was:\nSee Other. http://tinyurl.com/jhtwv25"
13:32 -!- K`Tetch_ [~no@24-178-141-147.dhcp.thtn.ga.charter.com] has joined #se2600
13:35 < aestetix> so wait
13:36 < aestetix> why can't you make a slight change in a packet via iptables, and then route it along
13:36 < aestetix> in the same way when I ping google.com, it goes through a bunch of servers
13:43 < cyberanger> aestetix: You can, different ways on how.
13:45 < aestetix> ok
13:45 < aestetix> I change the packet in iptables, and then route it along to its destination and forget about it
13:45 < aestetix> this is possible?
13:46 < cyberanger> aestetix: I'm not sure if your load balancer can though, aside from X-Forwarded-For header
13:47 < cyberanger> aestetix: I might be missing something, what is the point for this? Logging?
13:47 < aestetix> yes
13:47 < aestetix> And I am getting pissed off at how horrible the documentatoin on this stuff is
13:48 < cyberanger> What's doing the logging, Nginx, Apache or something else?
13:48 < aestetix> nginx
13:48 < aestetix> but i mean
13:48 < aestetix> is it really that hard to take a packet and send it on its merry way?
13:49 < cyberanger> Really that's not your issue if I'm grasping it, the issue isn't routing, it's proxying and caching.
13:50 < aestetix> http://serverfault.com/questions/488077/xen-xcp-route-failover-ip-to-guest
13:50 < aestetix> that's the issue
13:50 < PigBot> Title: routing - Xen XCP: Route failover IP to Guest - Server Fault (at serverfault.com) http://tinyurl.com/jg85gbs
13:50 < aestetix> in a nutshell
13:51 < cyberanger> aestetix: Take a look at this, think this is what your needing https://ma.ttias.be/nginx-access-log-log-the-real-users-ip-instead-of-the-proxy/
13:51 < cyberanger> Actually, let me look at your link before I say that.
13:51 < aestetix> lol
13:51 < aestetix> that's the x-forwarded-for thing
13:51 < aestetix> different issue :)
13:53 < cyberanger> Yeah, I pictured a different kind of load balancing (reverse proxy, not HA Xen setups)
13:53 < aestetix> hetzner claims its easy to do
13:54 < aestetix> but of the dozen people I've asked, nobody knows a good way to do it
13:54 < cyberanger> Making sure I am on the same page, we're talking NAT traversel(sp) right?
13:55 < cyberanger> iptables masqurade?
13:55 < aestetix> masquerade changes the origin ip
13:58 < cyberanger> Right, I'm trying to understand how iptables came into the mix.
13:59 < aestetix> is there a good way to modify packets that isn't iptables?
14:01 < aestetix> I'm about to give up
14:01 < aestetix> I just had that insight, it seemed useful
14:05 < cyberanger> aestetix: Just reading the backlog again, trying to see what I'm missing. Is HAProxy setting the X-Forwarded-For header?
14:05 < aestetix> no that was rattle making suggestions :p
14:05 < rattle> Linux has a very powerful packet rewriting engine.  NAT with iptables works just fine.  You're probably just fucking up.
14:06 < cyberanger> aestetix: Okay, so you aren't proxying, your routing then?
14:06 < aestetix> I am attempting to route, yes
14:08 < aestetix> rattle: why do I get the sense you are enjoying this
14:09 < rattle> What sort of asshole do you think I am?
14:09 < aestetix> a well routed one
14:10 < cyberanger> lol
14:11 < aestetix> but yeah tbqh I've studied routing tables like 100 times and it didn't help
14:11 < aestetix> maybe I had some router related trauma growing up
14:11 < cyberanger> Give me a second, I'm either remembering something useful or breaking a VM
14:11 < aestetix> ok
14:18 < aestetix> cyberanger: I'm gonna go to bed soon, fyi
14:20 < cyberanger> aestetix: so, 3 systems, A = Client B = Router C = Server
14:20 < aestetix> yes
14:21 < cyberanger> B has ip_forward on, and iptables is used to rewrite the packet, nothing else involved?
14:21 < aestetix> correct
14:22 < cyberanger> what's the iptables rule?
14:22 < aestetix> and C should be able to log traffic in whatever service, using A's address
14:22 < aestetix> iptables -t nat -A PREROUTING -d oldip -j DNAT --to-destination newip
14:22 < aestetix> I think
14:23 < cyberanger> Just that one rule? No matching SNAT rule?
14:23 < aestetix> SNAT would change the source address
14:24 < cyberanger> Right, and that's happening anyway.
14:24 < aestetix> heh true
14:25 < cyberanger> What's C's default route?
14:25 < aestetix> this is the part I don't know
14:25 < cyberanger> on C, what's route -n show?
14:26 < rattle> You have an accompanying allow policy in filtering and have forwarding turned on in the kernel?
14:26 < aestetix> rattle: of course
14:27 < cyberanger> Yeah, or he wouldn't be logging at all
14:28 < aestetix> route -n shows a gateway ip
14:28 < aestetix> I don't see the word default
14:29 < cyberanger> Right, becuase I gave you the -n flag, my bad
14:29 < cyberanger> 0.0.0.0 would be default
14:30 < aestetix> yes
14:30 < cyberanger> Or are you saying there is no default route at all? (guessing this)
14:30 < aestetix> route without -n has a default gateway listed
14:31 < cyberanger> Okay, is that gateway your router, that is machine B?
14:31 < aestetix> negative
14:31 < aestetix> it's some gateway at the data center
14:33 < aestetix> I mean, from machine B I can ping machine C, so it's clear there is a path set
14:36 < cyberanger> Yeah, same subnet I'm guessing, wasn't sure how the traffic was leaving machine C. If it's that one rule, source should be left alone from what I recall
14:37 < cyberanger> Iptables can do this from the mangle table too, but I forget the rules
14:37 < cyberanger> What is it your loadbalancing?
14:37 < aestetix> anyways, I think I'm gonna go to bed. I'm tired and today has been lots of not fun
14:38 -!- sicsscam_ is now known as sicsscam
14:38 < cyberanger> aestetix: Alright, catch up later.
14:46 < cyberanger> aestetix: are you sure about what iptables rules you have? Becuase I just tested in the VM trying to get the same result, instead I got what I expected & what you want.
16:43 -!- TheDukh [~thedukh@2607:fcc8:ac80:d900:f9ef:e438:3b1b:e4e6] has quit []
18:01 -!- TheDukh [~thedukh@2607:fcc8:ac80:d900:f9ef:e438:3b1b:e4e6] has joined #se2600
19:32 -!- TheDukh [~thedukh@2607:fcc8:ac80:d900:f9ef:e438:3b1b:e4e6] has quit []
22:54 -!- klixa [~klixa@unaffiliated/klixa] has joined #se2600
22:54 -!- mode/#se2600 [+o klixa] by ChanServ
22:55 -!- K`Tetch_ [~no@24-178-141-147.dhcp.thtn.ga.charter.com] has quit [Ping timeout: 240 seconds]
23:01 -!- K`Tetch [~no@unaffiliated/ktetch] has joined #se2600
--- Log closed Fri Jan 13 00:00:44 2017