Hi, everybody! I just spent five totally frustrating hours debugging a problem that shouldn't exist, and the problem was so baffling and its resolution so disconcerting I thought I'd share my experience with everyone and see if anyone has any words of wisdom for me. For reasons that I've long since forgotten, I once thought it would be an interesting learning experience to create a fully NATted private network. I lease 4 IP addresses from my ISP (let's call them 10.0.2.1 - 10.0.2.4 for the sake of discussion), and conveniently enough I have four hosts on my home network, which I've put on a 192.168.13.0/24 private network. The routing bastion host which deals with the translation, located at 10.0.2.1, is a Netwinder running woody, kernel 2.4.3 and all the appropriate modules. After a _lot_ of experimentation (the Netfilter NAT HOWTO is an admirably opaque document in places), I put together a little script that I placed in /etc/init.d to deal with the IP address translation between the private and external networks. I've attached the script to this message. It's worked pretty well for the last month or so since I upgraded to 2.4.x. Today I upgraded the kernel on the NetWinder and rebooted. After rebooting, my TiBook, located at 192.168.13.2, could no longer get packets out to the world. The FreeBSD server at 192.168.13.4 had no problem, and if I changed the TiBook's NIC configuration to instead use 192.168.13.3 as its IP address, it would start working as well. I tried shuffling the order of the iptables rules and it made no difference. I tried a lot of things. Nothing worked. Careful scrutiny of Ethereal captures showed that outgoing packets from the TiBook were getting rewritten to appear as being from 10.0.2.2, but for that host _and that host only_, incoming packets were not getting rewritten properly back to 192.168.13.2. I'm not otherwise filtering packets, and as far as I can tell there are no bizarre sysctls set on the Netwinder to make life miserable for only that IP address. Eventually, just for the hell of it, I added an extra iptables rule to the list: iptables -t nat -A PREROUTING -j DNAT -i eth0 --to 192.168.13.2 -d 10.0.0.1 For no good reason that I can ascertain, everything suddenly started working! Here's the current output from 'iptables -t nat -L': Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- 0.0.0.0/0 10.0.2.2 to:192.168.13.2 DNAT all -- 0.0.0.0/0 10.0.2.3 to:192.168.13.3 DNAT all -- 0.0.0.0/0 10.0.2.4 to:192.168.13.4 DNAT all -- 0.0.0.0/0 10.0.2.2 to:10.0.0.1 Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.13.2 0.0.0.0/0 to:10.0.2.2 SNAT all -- 192.168.13.3 0.0.0.0/0 to:10.0.2.3 SNAT all -- 192.168.13.4 0.0.0.0/0 to:10.0.2.4 Chain OUTPUT (policy ACCEPT) target prot opt source destination Does anyone have any idea what's going on here? Why would two addresses work, but not a third? Why would adding a gratuitous and possibly broken rule cause things to start working? Have I stumbled upon some obscure bug? Have I done something utterly retarded? Has anyone encountered anything like this before? What's the deal? Thanks in advance for any feedback or wisdom. All I know is, I'm never rebooting that machine again. sincerely yours, Forrest Norvell . . . the self-reflecting image of a narcotized mind . . . ozymandias G desiderata ogd@aoaioxxysz.net desperate, deathless (415)558-9064 http://www.aoaioxxysz.com/ ::AOAIOXXYSZ::
#!/bin/sh PATH=/sbin # ensure that necessary modules are loaded modprobe iptable_nat modprobe ip_nat_ftp # set important IP properties echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # When using the new NAT code, we have to tell the kernel # to bind external addresses for ARP queries ip address add 10.0.2.2 dev eth0 ip address add 10.0.2.3 dev eth0 ip address add 10.0.2.4 dev eth0 # flush NAT table iptables -t nat -F # Source modifications for outgoing packets iptables -t nat -A POSTROUTING -j SNAT -o eth0 -s 192.168.13.2 --to 10.0.2.2 iptables -t nat -A POSTROUTING -j SNAT -o eth0 -s 192.168.13.3 --to 10.0.2.3 iptables -t nat -A POSTROUTING -j SNAT -o eth0 -s 192.168.13.4 --to 10.0.2.4 # Destination modifications for incoming packets iptables -t nat -A PREROUTING -j DNAT -i eth0 --to 192.168.13.2 -d 10.0.2.2 iptables -t nat -A PREROUTING -j DNAT -i eth0 --to 192.168.13.3 -d 10.0.2.3 iptables -t nat -A PREROUTING -j DNAT -i eth0 --to 192.168.13.4 -d 10.0.2.4
Attachment:
pgp3xDbeahre2.pgp
Description: PGP signature