Linux NAT and stuff.
Hi all,
I am starting to use Debian (potato) as a firewall with NAT functions.
I have fast NAT compiled into the kernel, installed iproute2, read
through the documentation "ip-cref" and did what was suggested in
Appendix C. Everything looks fine. Except ....... I cannot connect
to the NATed machine from the internal network.
My (approx) network topology:
INTERNET --- FW1 [172.16.29.254] ---+--- [172.16.28.2] NT Lotus Notes
|
|
[172.16.29.1]
FW2
[172.16.28.1]
|
|
[172.16.28.x]
desktop PCs
(don't ask me why 2 firewalls are needed, I don't know :( )
I have IP Masquerading and the NAT running in FW1
(172.16.28.x uses MASQ, 172.16.29.2 uses NAT and ipchains is
set to just forward packets)
I can connect to the Notes server from the Internet.
desktop PCs can connect to the Internet and the 2 FWs.
The 2 FWs, of course, can go anywhere.
I can connect from FW1/2 to the Notes server through 172,16.29.2.
However (here's the problem), I cannot connect from "desktop PCs"
to the Notes server.
Also, if I try to connect to the Notes server from FW1 using the
NATed address I get an "invalid argument" error.
What was the cause of these 2 error?
The ip commands are something like this:
/sbin/ip route add nat $EXTIP via 172.16.29.2
/sbin/ip rule add prio 1000 from 172.16.29.2 to 172.16.0.0/16 table main
/sbin/ip rule add prio 1001 from 172.16.29.2 nat $EXTIP
The documentation mentioned a table called "inr.ruhep".
Was the name arbitrary? Appendix C mentioned
this table should contain "route to the destination", but
I don't know what that is supposed to be..........
Shall I use FW2 to do masquerading, and FW1 to provide NAT for
FW2 and Notes? Will it help the situation?
I just noticed that it should be easier to manage this way.
(I really think I should have posted it somewhere else.....
should I? And if yes, where should I post?)
Hope it doesn't look too difficult to understand. My english isn't
that good. :(
Reply to: