problem with fast nat
Hello,
we got a small problem getting iproute
nat capabilities to work:
We change from SuSE 8.2 2.4 kernel to
debian. Our test equipment looks like this:
Given is a standard debian 2.6.8-2 kernel
for 386; we also added the appropriate kernel headers.
There are two interfaces:
eth0 Protokoll:Ethernet
Hardware Adresse 00:02:1E:F1:AA:32
inet
Adresse:172.31.27.1 Bcast:172.31.31.255 Maske:255.255.248.0
inet6
Adresse: fe80::202:1eff:fef1:aa32/64 Gültigkeitsbereich:Verbindung
UP BROADCAST
RUNNING MULTICAST MTU:1500 Metric:1
eth1 Protokoll:Ethernet
Hardware Adresse 00:01:02:04:C2:55
inet
Adresse:192.168.2.1 Bcast:192.168.2.255 Maske:255.255.255.0
inet6
Adresse: fe80::201:2ff:fe04:c255/64 Gültigkeitsbereich:Verbindung
UP BROADCAST
RUNNING MULTICAST MTU:1500 Metric:1
lo Protokoll:Lokale
Schleife
inet
Adresse:127.0.0.1 Maske:255.0.0.0
inet6
Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK
RUNNING MTU:16436 Metric:1
In our testing environment, ther are
two test machines connecte to each interface with the ip of 172.31.27.10
(1) and 192.168.2.20 (2).
Like it should be, the nets are not
routed because ip_forward is set to 0. We open the router together with
some logging by iptable (no other rules defined):
echo "Aktiviere Forwarding ..."
# IP Forwarding einschalten
echo 1 > /proc/sys/net/ipv4/ip_forward
#log icmp
iptables -A INPUT -j LOG --log-level
notice --log-prefix "INPUT LOG: "
iptables -A FORWARD -j LOG --log-level
notice --log-prefix "FORWARD LOG: "
iptables -A OUTPUT -j LOG --log-level
notice --log-prefix "OUTPUT LOG: "
# allow icmp
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
From now, test machine1 can ping machine
2 and vice versa:
#~ tail -F /var/log/messages
May 11 16:55:33 T4AC00 kernel: FORWARD
LOG: IN=eth0 OUT=eth1 SRC="" DST=192.168.2.20 LEN=60 TOS=0x00
PREC=0x00 TTL=127 ID=35 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=6144
May 11 16:55:33 T4AC00 kernel: FORWARD
LOG: IN=eth1 OUT=eth0 SRC="" DST=172.31.27.10 LEN=60 TOS=0x00
PREC=0x00 TTL=127 ID=23 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=6144
So, everything look fine. Now we start
fast nat. Think the 172 .. net as home-net and the 192.. net as dmz.
To get 192.168.2.20 natted by 172.31.27.20
we can use ip route / ip rule like this:
ip rule add
from 192.168.2.20 nat 172.31.27.20 to 172.31.24.0/21 table main prio 100
ip route add
nat 172.31.27.20 via 192.168.2.20
These commands work fine on an SuSE
8.2 firewall with 2.4 kernel. The ip route table local output for this
route looks like this:
nat 172.31.27.20 via 192.168.2.20 scope
host
and the corresponding rule looks like
this:
100: from
192.168.2.20 to 172.31.24.0/21 lookup main map-to 172.31.27.20
So far, so good: it looks like it should.
But in then end, no natting happend:
May 11 16:52:25 T4AC00 kernel: FORWARD
LOG: IN=eth0 OUT=eth1 SRC="" DST=172.31.27.20 LEN=60 TOS=0x00
PREC=0x00 TTL=127 ID=30 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=4864
May 11 16:52:26 T4AC00 kernel: FORWARD
LOG: IN=eth0 OUT=eth1 SRC="" DST=172.31.27.20 LEN=60 TOS=0x00
PREC=0x00 TTL=127 ID=31 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=5120
What's wrong? From some debian textfiles
as well as the .config file, the kernel should be able to perform all iproute
commands.
Has anyone an idea what's wrong?
Greetings,
Dr. Günter Sprakties
Reply to: