OpenAFS and NAT

The OpenAFS 1.4.2 client should be fairly NAT friendly. AFS only has UDP callback traffic unless you are using something experimental like Rx/TCP. Two ways to accomplish this:

Set UDP timeouts to a higher value:
net.ipv4.netfilter.ip_conntrack_udp_timeout = 480
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 900

This sets a 15 minute timeout. 30 minutes is recommended if you continue to have problems with timed out connections.

Rewrite the client’s outgoing port 7001 traffic to a known “other” port that you assign.
For example, reserve port 7021 on the NAT box for this purpose. is the internal AFS client and eth0 is the external interface of the NAT box.
Send all traffic arriving from the outside server on the assigned port to the inside client on its standard AFS callback port (7001):
# iptables -t nat -A PREROUTING -i eth0 –dport 7021 -j DNAT –to-destination
Send all traffic destined to the server from the client out on the assigned port (7021) instead of port 7001:
# iptables -t nat -A POSTROUTING -o eth0 -s –sport 7001 -j MASQUERADE –to-ports 7021

Then set up Linux IP masquerading as usual. (This must be done after at least all of the above POSTROUTING lines, otherwise this rule will match first since it is more general, and none of the other lines will be used.)
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Note: If you are hopping off someone else’s wireless router, make sure traffic destined for the assigned ports, or for port 7001, on THEIR external interface is also being forwarded back to your network’s NAT gateway. Traffic destined for the designated external ports has to somehow be able to reach the NAT box that you control so that you can rewrite the port numbers with iptables.

Leave a Reply