Re: Linux NAT and stuff.
are you trying to access the NAT'd machine from infront of the debian box
doing the NAT ? from the looks of it you are doing NAT on only part of
the network.. the desktop PCs section (?) You will not be able to access
the NAT'd machines from infront of the debian box doing the NAT even if
its on the same network. If you need this functionality you need something
that can do reverse NAT.
i hope i understood your problem :)
nate
On Tue, 28 Dec 1999, Ronald Tin wrote:
csthf9 >Hi all,
csthf9 >
csthf9 > I am starting to use Debian (potato) as a firewall with NAT functions.
csthf9 >I have fast NAT compiled into the kernel, installed iproute2, read
csthf9 >through the documentation "ip-cref" and did what was suggested in
csthf9 >Appendix C. Everything looks fine. Except ....... I cannot connect
csthf9 >to the NATed machine from the internal network.
csthf9 >
csthf9 >My (approx) network topology:
csthf9 >
csthf9 > INTERNET --- FW1 [172.16.29.254] ---+--- [172.16.28.2] NT Lotus Notes
csthf9 > |
csthf9 > |
csthf9 > [172.16.29.1]
csthf9 > FW2
csthf9 > [172.16.28.1]
csthf9 > |
csthf9 > |
csthf9 > [172.16.28.x]
csthf9 > desktop PCs
csthf9 >
csthf9 >(don't ask me why 2 firewalls are needed, I don't know :( )
csthf9 >
csthf9 >I have IP Masquerading and the NAT running in FW1
csthf9 >(172.16.28.x uses MASQ, 172.16.29.2 uses NAT and ipchains is
csthf9 > set to just forward packets)
csthf9 >
csthf9 >I can connect to the Notes server from the Internet.
csthf9 >desktop PCs can connect to the Internet and the 2 FWs.
csthf9 >The 2 FWs, of course, can go anywhere.
csthf9 >I can connect from FW1/2 to the Notes server through 172,16.29.2.
csthf9 >However (here's the problem), I cannot connect from "desktop PCs"
csthf9 >to the Notes server.
csthf9 >Also, if I try to connect to the Notes server from FW1 using the
csthf9 >NATed address I get an "invalid argument" error.
csthf9 >
csthf9 >What was the cause of these 2 error?
csthf9 >
csthf9 >The ip commands are something like this:
csthf9 > /sbin/ip route add nat $EXTIP via 172.16.29.2
csthf9 > /sbin/ip rule add prio 1000 from 172.16.29.2 to 172.16.0.0/16 table main
csthf9 > /sbin/ip rule add prio 1001 from 172.16.29.2 nat $EXTIP
csthf9 >
csthf9 >The documentation mentioned a table called "inr.ruhep".
csthf9 >Was the name arbitrary? Appendix C mentioned
csthf9 >this table should contain "route to the destination", but
csthf9 >I don't know what that is supposed to be..........
csthf9 >
csthf9 >
csthf9 >Shall I use FW2 to do masquerading, and FW1 to provide NAT for
csthf9 >FW2 and Notes? Will it help the situation?
csthf9 >I just noticed that it should be easier to manage this way.
csthf9 >
csthf9 >
csthf9 >(I really think I should have posted it somewhere else.....
csthf9 > should I? And if yes, where should I post?)
csthf9 >
csthf9 >Hope it doesn't look too difficult to understand. My english isn't
csthf9 >that good. :(
csthf9 >
csthf9 >
csthf9 >--
csthf9 >Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
csthf9 >
----------------------------------------[mailto:aphro@aphroland.org ]--
Vice President Network Operations http://www.firetrail.com/
Firetrail Internet Services Limited http://www.aphroland.org/
Everett, WA 425-348-7336 http://www.linuxpowered.net/
Powered By: http://comedy.aphroland.org/
Debian 2.1 Linux 2.0.36 SMP http://yahoo.aphroland.org/
-----------------------------------------[mailto:aphro@netquest.net ]--
8:11pm up 131 days, 8:04, 3 users, load average: 2.05, 1.63, 1.56
Reply to: