[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

problem with fast nat


Hello,

we got a small problem getting iproute nat capabilities to work:

We change from SuSE 8.2 2.4 kernel to debian. Our test equipment looks like this:
Given is a standard debian 2.6.8-2 kernel for 386; we also added the appropriate kernel headers.

There are two interfaces:

eth0      Protokoll:Ethernet  Hardware Adresse 00:02:1E:F1:AA:32  
          inet Adresse:172.31.27.1  Bcast:172.31.31.255  Maske:255.255.248.0
          inet6 Adresse: fe80::202:1eff:fef1:aa32/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         
eth1      Protokoll:Ethernet  Hardware Adresse 00:01:02:04:C2:55  
          inet Adresse:192.168.2.1  Bcast:192.168.2.255  Maske:255.255.255.0
          inet6 Adresse: fe80::201:2ff:fe04:c255/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
       
lo        Protokoll:Lokale Schleife  
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
       
In our testing environment, ther are two test machines connecte to each interface with the ip of 172.31.27.10 (1) and 192.168.2.20 (2).
Like it should be, the nets are not routed because ip_forward is set to 0. We open the router together with some logging by iptable (no other rules defined):

echo "Aktiviere Forwarding ..."      
# IP Forwarding einschalten      
echo 1 > /proc/sys/net/ipv4/ip_forward
#log icmp
iptables -A INPUT   -j LOG --log-level notice --log-prefix "INPUT LOG: "
iptables -A FORWARD -j LOG --log-level notice --log-prefix "FORWARD LOG: "
iptables -A OUTPUT  -j LOG --log-level notice --log-prefix "OUTPUT LOG: "
# allow icmp
iptables -A INPUT   -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A OUTPUT  -p icmp -j ACCEPT

From now, test machine1 can ping machine 2 and vice versa:
#~ tail -F /var/log/messages
May 11 16:55:33 T4AC00 kernel: FORWARD LOG: IN=eth0 OUT=eth1 SRC="" DST=192.168.2.20 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=35 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=6144
May 11 16:55:33 T4AC00 kernel: FORWARD LOG: IN=eth1 OUT=eth0 SRC="" DST=172.31.27.10 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=23 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=6144

So, everything look fine. Now we start fast nat. Think the 172 .. net as home-net and the 192.. net as dmz.
To get 192.168.2.20 natted by 172.31.27.20 we can use ip route / ip rule like this:

        ip rule add from 192.168.2.20 nat 172.31.27.20 to 172.31.24.0/21 table main prio 100
        ip route add nat 172.31.27.20 via 192.168.2.20

These commands work fine on an SuSE 8.2 firewall with 2.4 kernel. The ip route table local output for this route looks like this:

nat 172.31.27.20 via 192.168.2.20  scope host

and the corresponding rule looks like this:

100:        from 192.168.2.20 to 172.31.24.0/21 lookup main map-to 172.31.27.20

So far, so good: it looks like it should. But in then end, no natting happend:

May 11 16:52:25 T4AC00 kernel: FORWARD LOG: IN=eth0 OUT=eth1 SRC="" DST=172.31.27.20 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=30 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=4864
May 11 16:52:26 T4AC00 kernel: FORWARD LOG: IN=eth0 OUT=eth1 SRC="" DST=172.31.27.20 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=31 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=5120

What's wrong? From some debian textfiles as well as the .config file, the kernel should be able to perform all iproute commands.
Has anyone an idea what's wrong?  

Greetings,

Dr. Günter Sprakties
Reply to: