problem with iptables nat
Hello,
while we learned that the fast and easy-to-use
fast nat did't work anymore (horrible) we try to get iptables ugly nat
features to work. And see, they do not work.
We change from SuSE 8.2 2.4 kernel to
debian. Our test equipment looks like this:
Given is a standard debian 2.6.8-2 kernel
for 386; we also added the appropriate kernel headers.
There are two interfaces:
eth0 Protokoll:Ethernet
Hardware Adresse 00:02:1E:F1:AA:32
inet
Adresse:172.31.27.1 Bcast:172.31.31.255 Maske:255.255.248.0
inet6
Adresse: fe80::202:1eff:fef1:aa32/64 Gültigkeitsbereich:Verbindung
UP BROADCAST
RUNNING MULTICAST MTU:1500 Metric:1
eth1 Protokoll:Ethernet
Hardware Adresse 00:01:02:04:C2:55
inet
Adresse:192.168.2.1 Bcast:192.168.2.255 Maske:255.255.255.0
inet6
Adresse: fe80::201:2ff:fe04:c255/64 Gültigkeitsbereich:Verbindung
UP BROADCAST
RUNNING MULTICAST MTU:1500 Metric:1
lo Protokoll:Lokale
Schleife
inet
Adresse:127.0.0.1 Maske:255.0.0.0
inet6
Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK
RUNNING MTU:16436 Metric:1
In our testing environment, ther are
two test machines connecte to each interface with the ip of 172.31.27.10
(1) and 192.168.2.20 (2).
Like it should be, the nets are not
routed because ip_forward is set to 0. We open the router together with
some logging by iptable (no other rules defined):
From now, test machine1 can ping machine
2 and vice versa:
#~ tail -F /var/log/messages
May 11 16:55:33 T4AC00 kernel: FORWARD
LOG: IN=eth0 OUT=eth1 SRC="" DST=192.168.2.20 LEN=60 TOS=0x00
PREC=0x00 TTL=127 ID=35 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=6144
May 11 16:55:33 T4AC00 kernel: FORWARD
LOG: IN=eth1 OUT=eth0 SRC="" DST=172.31.27.10 LEN=60 TOS=0x00
PREC=0x00 TTL=127 ID=23 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=6144
So, everything look fine. Now we start
iptables nat.
Think the 172.31.. network as intranet and
the 192.168.. net/machine as dmz. We like to get the 192.168.2.20 ip natted
to 172.31.27.20 from the intranet; that means that we can ping 172.31.27.20
from 172.31.27.10, the ping arrived as 192.168.2.20 and the return package
arrived again as 172.31.27.20. When we take the NAT HOW-TO, we construct
following rules:
# NAT
#
iptables -t nat -A POSTROUTING -s 192.168.2.20
-o eth0 -j SNAT --to 172.31.27.20
iptables -t nat -A PREROUTING -i eth1 -d
172.31.27.20 -j DNAT --to 192.168.2.20
The nat tables look llike this:
Chain PREROUTING (policy ACCEPT)
target prot opt source
destination
DNAT all --
anywhere 172.31.27.20
to:192.168.2.20
Chain POSTROUTING (policy ACCEPT)
target prot opt source
destination
SNAT all --
192.168.2.20 anywhere
to:172.31.27.20
Chain OUTPUT (policy ACCEPT)
target prot opt source
destination
Didn't work, we see no packages in /var/logs/messages.
Like I said before, standard kernel.
What's wrong?
Greetings,
Dr. Günter Sprakties
Reply to: