Re: NAT question

Re: NAT question

[Kiran Kumar Immidi]

[-- Attachment #1: Type: text/html, Size: 816 bytes --]

Re: NAT question

[Vijaya Chandra Vupputuri]

I have just grepped for icmp in /proc/net/ip_conntrack while pinging the
same box from two systems

icmp     1 29 src=192.168.1.80 dst=172.16.0.102 type=8 code=0 id=62829
src=172.16.0.102 dst=172.16.0.100 type=0 code=0 id=62829 use=1 
icmp     1 29 src=192.168.1.180 dst=172.16.0.102 type=8 code=0 id=38527
src=172.16.0.102 dst=172.16.0.100 type=0 code=0 id=38527 use=1

The 'identifier' of the ICMP msg seems to be the key that is being used
for guessing the actual source while handling the response.
No idea as to what would happen if both the systems decide to use the
same identifier though.

The ICMP RFC says
      The identifier and sequence number may be used by the echo sender
      to aid in matching the replies with the echo requests.  For
      example, the identifier might be used like a port in TCP or UDP to
      identify a session, and the sequence number might be incremented
      on each echo request sent.  The echoer returns these same values
      in the echo reply.


I guess conntrack would change the id just like it does with the tcp/udp
ports in case of a clash to identify the correct destination while
handling the response.

Regards,
Vijay.

On Wed, 2004-06-30 at 18:58, Kiran Kumar Immidi wrote:
> 
> Regards, 
> Kiran Kumar Immidi 
> 
> On Wed, 30 Jun 2004 17:56 , Vijaya Chandra Vupputuri
> <vijay@tachyontech.net> sent:
> 
> >If A and B send packets to a server, say google.com:80 using the
> local
> >port 10000, when the pkts get SNATed on C, the source ports would be
> >different from 10000 (21000 and 32000 for example) and when
> google.com
> >sends back the packets to those new port numbers, conntrack would
> change
> >the dst-port numbers to 10000 along with the dst-ip address.
> 
>   Oh yes, this answers my question. But how about ICMP which does not
> have a concept of port? 
> I have asked this in another mail.
> 
> 
> ______________________________________________________________________
> Cool Things Happen When Mac Users Meet! Join the community in Boston
> this July: www.macworldexpo.com

NAT question

[Stephen Clark]

Can iptables do a network to network nat without having to write out a bunch of 
nat rules.
In other words translate  192.168.198.0/24 to 172.16.10.0/24 without having to 
write out
256 rules.

Also can iptables handle 1000 nat rules like above if they have to be written out on
a 1.66ghz intel dual core atom with 1gb of mem.

I know this isn't appropriate question for devel list but I didn't find anything 
googling.

Thanks,

-- 

"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty
decreases."  (Thomas Jefferson)

Re: NAT question

[Jan Engelhardt]

On Wednesday 2012-01-25 17:16, Stephen Clark wrote:

> Can iptables do a network to network nat without having to write out a bunch of
> nat rules.
> In other words translate  192.168.198.0/24 to 172.16.10.0/24 without having to
> write out
> 256 rules.

-> NETMAP.

> Also can iptables handle 1000 nat rules like above if they have to be written
> out on
> a 1.66ghz intel dual core atom with 1gb of mem.

"It can. Can you?"

RE: NAT question

[Justin Piszcz]

It is either that or what I took from this thread is that he wants the
actual public IP's behind his main machine.


Router ----------> MAINBOX (public ip#1) ---------> BOX1 (public ip#2)
                                         ---------> BOX2 (public ip#3)

Is this the case?

If so, it is possible but I have not personally tried it myself using an
arp daemon so you basically send/forward the traffic to the other hosts.

Check the networking options and help in the kernel configuration for
more information.

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jason
Opperisano
Sent: Friday, March 11, 2005 10:13 AM
To: netfilter@lists.netfilter.org
Subject: Re: NAT question

On Fri, 2005-03-11 at 08:56, Dimitri Yioulos wrote:
> >> Hello, all.
> >>  
> >> I've recently set up iptables-1.2.8-12.3 on a CentOS 3.4 (RHEL AS
3) box.
> >> Among other things, I've created a DMZ where my Web and mail
servers
> >>live.
> >> My problem is that my Web and mail servers identify themselves with
the
> >> NAT
> >> ip address that I've assigned   Here's my NAT rule: 
> >> 
> >>  IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source 
> >> $INET_IP 
> >> 
> >> How can I get these two servers to identify themselves by their own
ip
> >> addresses and still provide NAT for my users?
> 
> >specify the source address so that only packets from the inside
network
> >match the SNAT rule:
> 
> >  iptables -t nat -A POSTROUTING -o $INET_IFACE -s $INSIDE_NET \
> >    -j SNAT --to-source $INET_IP
> 
> 
> Thanks to all for your replies!
> 
> I was hopeful about applying the above rule.  Internet connectivity is
fine;
> inbound mail is fine; outbound mail seems not to make it (if the list
> receives this, it's because I rolled back to the original rule).  Does
that
> make any sense?
> 
> Dimitri

are your web and mail servers NAT-ed as well?  it was unclear from your
original post, an i assumed that you were using Internet-routed IP space
in your DMZ.  if this is not the case--you need to put your rules in the
proper order.

if you have a static (one-to-one) NAT for a DMZ machine, and also want
to perform a hide NAT (many-to-one) NAT for your internal net's outbound
traffic--you'd have something like:

  # inbound one-to-one NAT for web server
  iptables -t nat -A PREROUTING -i $INET_IFACE -d $WEB_SRV_PUB_IP \
    -j DNAT --to-destination $WEB_SRV_PRIV_IP

  # outbound one-to-one NAT for web server
  iptables -t nat -A POSTROUTING -o $INET_IFACE -s $WEB_SRV_PRIV_IP \
    -j SNAT --to-source $WEB_SRV_PUB_IP

  # outbound many-to-one NAT for inside net
  iptables -t nat -A POSTROUTING -o $INET_IFACE -s $INSIDE_NET \
    -j SNAT --to-source $INET_IP

order matters--place the one-to-one SNAT rules before any many-to-one
SNAT rules.

in order for packets destined for $WEB_SRV_PUB_IP to make it to your
firewall's $INET_IFACE, it either needs to be routed that way by your
upstream Internet router, or you need to add it as an alias:

  ip addr add $WEB_SRV_PUB_IP dev $INET_IFACE

HTH...   any sorry for misleading before.

-j

--
"Do you want to change your name to Homer Junior? The kids can call
 you Hoju!"
	--The Simpsons

NAT question

[Dimitri Yioulos]

Hello, all.

 

I've recently set up iptables-1.2.8-12.3 on a CentOS 3.4 (RHEL AS 3) box.
Among other things, I've created a DMZ where my Web and mail servers live.
My problem is that my Web and mail servers identify themselves with the NAT
ip address that I've assigned   Here's my NAT rule:

 

 IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

 

How can I get these two servers to identify themselves by their own ip
addresses and still provide NAT for my users?

 

Hope I've provided enough info., and my question isn't too lame.

 

Many thanks.

 

Dimitri

Re: NAT question

[Jason Opperisano]

On Fri, 2005-03-11 at 07:43, Dimitri Yioulos wrote:
> Hello, all.
>  
> I've recently set up iptables-1.2.8-12.3 on a CentOS 3.4 (RHEL AS 3) box.
> Among other things, I've created a DMZ where my Web and mail servers live.
> My problem is that my Web and mail servers identify themselves with the NAT
> ip address that I've assigned   Here's my NAT rule: 
> 
>  IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP 
> 
> How can I get these two servers to identify themselves by their own ip
> addresses and still provide NAT for my users?

specify the source address so that only packets from the inside network
match the SNAT rule:

  iptables -t nat -A POSTROUTING -o $INET_IFACE -s $INSIDE_NET \
    -j SNAT --to-source $INET_IP

-j

--
"The kneebone's connected to the... something. The something's
 connected to the... red thing. The red thing's connected to my wrist
 watch... Uh oh."
	--The Simpsons

Re: NAT question

[Dimitri Yioulos]

>> Hello, all.
>>  
>> I've recently set up iptables-1.2.8-12.3 on a CentOS 3.4 (RHEL AS 3) box.
>> Among other things, I've created a DMZ where my Web and mail servers
>>live.
>> My problem is that my Web and mail servers identify themselves with the
>> NAT
>> ip address that I've assigned   Here's my NAT rule: 
>> 
>>  IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source 
>> $INET_IP 
>> 
>> How can I get these two servers to identify themselves by their own ip
>> addresses and still provide NAT for my users?

>specify the source address so that only packets from the inside network
>match the SNAT rule:

>  iptables -t nat -A POSTROUTING -o $INET_IFACE -s $INSIDE_NET \
>    -j SNAT --to-source $INET_IP


Thanks to all for your replies!

I was hopeful about applying the above rule.  Internet connectivity is fine;
inbound mail is fine; outbound mail seems not to make it (if the list
receives this, it's because I rolled back to the original rule).  Does that
make any sense?

Dimitri

Re: NAT question

[Jason Opperisano]

On Fri, 2005-03-11 at 08:56, Dimitri Yioulos wrote:
> >> Hello, all.
> >>  
> >> I've recently set up iptables-1.2.8-12.3 on a CentOS 3.4 (RHEL AS 3) box.
> >> Among other things, I've created a DMZ where my Web and mail servers
> >>live.
> >> My problem is that my Web and mail servers identify themselves with the
> >> NAT
> >> ip address that I've assigned   Here's my NAT rule: 
> >> 
> >>  IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source 
> >> $INET_IP 
> >> 
> >> How can I get these two servers to identify themselves by their own ip
> >> addresses and still provide NAT for my users?
> 
> >specify the source address so that only packets from the inside network
> >match the SNAT rule:
> 
> >  iptables -t nat -A POSTROUTING -o $INET_IFACE -s $INSIDE_NET \
> >    -j SNAT --to-source $INET_IP
> 
> 
> Thanks to all for your replies!
> 
> I was hopeful about applying the above rule.  Internet connectivity is fine;
> inbound mail is fine; outbound mail seems not to make it (if the list
> receives this, it's because I rolled back to the original rule).  Does that
> make any sense?
> 
> Dimitri

are your web and mail servers NAT-ed as well?  it was unclear from your
original post, an i assumed that you were using Internet-routed IP space
in your DMZ.  if this is not the case--you need to put your rules in the
proper order.

if you have a static (one-to-one) NAT for a DMZ machine, and also want
to perform a hide NAT (many-to-one) NAT for your internal net's outbound
traffic--you'd have something like:

  # inbound one-to-one NAT for web server
  iptables -t nat -A PREROUTING -i $INET_IFACE -d $WEB_SRV_PUB_IP \
    -j DNAT --to-destination $WEB_SRV_PRIV_IP

  # outbound one-to-one NAT for web server
  iptables -t nat -A POSTROUTING -o $INET_IFACE -s $WEB_SRV_PRIV_IP \
    -j SNAT --to-source $WEB_SRV_PUB_IP

  # outbound many-to-one NAT for inside net
  iptables -t nat -A POSTROUTING -o $INET_IFACE -s $INSIDE_NET \
    -j SNAT --to-source $INET_IP

order matters--place the one-to-one SNAT rules before any many-to-one
SNAT rules.

in order for packets destined for $WEB_SRV_PUB_IP to make it to your
firewall's $INET_IFACE, it either needs to be routed that way by your
upstream Internet router, or you need to add it as an alias:

  ip addr add $WEB_SRV_PUB_IP dev $INET_IFACE

HTH...   any sorry for misleading before.

-j

--
"Do you want to change your name to Homer Junior? The kids can call
 you Hoju!"
	--The Simpsons

Re: NAT question

[Dimitri Yioulos]

> >> Hello, all.
> >>  
> >> I've recently set up iptables-1.2.8-12.3 on a CentOS 3.4 (RHEL AS 3)
box.
> >> Among other things, I've created a DMZ where my Web and mail servers
> >>live.
> >> My problem is that my Web and mail servers identify themselves with the
> >> NAT
> >> ip address that I've assigned   Here's my NAT rule: 
> >> 
> >>  IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source 
> >> $INET_IP 
> >> 
> >> How can I get these two servers to identify themselves by their own ip
> >> addresses and still provide NAT for my users?
> 
> >specify the source address so that only packets from the inside network
> >match the SNAT rule:
> 
> >  iptables -t nat -A POSTROUTING -o $INET_IFACE -s $INSIDE_NET \
> >    -j SNAT --to-source $INET_IP
> 
> 
> Thanks to all for your replies!
> 
> I was hopeful about applying the above rule.  Internet connectivity is
fine;
> inbound mail is fine; outbound mail seems not to make it (if the list
> receives this, it's because I rolled back to the original rule).  Does
that
> make any sense?
> 
> Dimitri

-are your web and mail servers NAT-ed as well?  it was unclear from your
-original post, an i assumed that you were using Internet-routed IP space
-in your DMZ.  if this is not the case--you need to put your rules in the
-proper order.
-
-if you have a static (one-to-one) NAT for a DMZ machine, and also want
-to perform a hide NAT (many-to-one) NAT for your internal net's outbound
-traffic--you'd have something like:
-
-  # inbound one-to-one NAT for web server
-  iptables -t nat -A PREROUTING -i $INET_IFACE -d $WEB_SRV_PUB_IP \
-    -j DNAT --to-destination $WEB_SRV_PRIV_IP
-
-  # outbound one-to-one NAT for web server
-  iptables -t nat -A POSTROUTING -o $INET_IFACE -s $WEB_SRV_PRIV_IP \
-    -j SNAT --to-source $WEB_SRV_PUB_IP
-
-  # outbound many-to-one NAT for inside net
-  iptables -t nat -A POSTROUTING -o $INET_IFACE -s $INSIDE_NET \
-    -j SNAT --to-source $INET_IP

-order matters--place the one-to-one SNAT rules before any many-to-one
-SNAT rules.

-in order for packets destined for $WEB_SRV_PUB_IP to make it to your
-firewall's $INET_IFACE, it either needs to be routed that way by your
-upstream Internet router, or you need to add it as an alias:

-  ip addr add $WEB_SRV_PUB_IP dev $INET_IFACE

-HTH...   any sorry for misleading before.


Sorry for any confusion I may be causing.  Here's a little more info.:

I've aliased my Web and mail server public addresses to eth0:0 and eth0:1
(eth0 being the external interface).  I think I've read that this isn't the
optimal set-up, but it does work.  That shouldn't matter, should it?

The key here may be in omitting a NAT postrouting rule (sorry if the
terminology is incorrect).  Here's what I have:

IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP
IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SMTP_IP --dport 25 \
-j DNAT --to-destination $DMZ_SMTP_IP
IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $SMTP_IP --dport 25 \
-j DNAT --to-destination $DMZ_SMTP_IP
IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SMTP_IP --dport \
110 -j DNAT --to-destination $DMZ_SMTP_IP
IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $SMTP_IP --dport \
110 -j DNAT --to-destination $DMZ_SMTP_IP
IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

in that order.  I will change the last rule to include -s $INSIDE_NET.  I
also notice that I don't have the outbound one-to-one NAT for web or mail
servers. So, if I add: 

IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $WEB_SRV_PRIV_IP \
-j SNAT --to-source $WEB_SRV_PUB_IP 

and

IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $MAIL_SRV_PRIV_IP \
-j SNAT --to-source $MAIL_SRV_PUB_IP

just after the outbound many-to-one NAT for inside net as above, will I be
good?

Thanks so much for your time.

Re: NAT question

[Jason Opperisano]

On Fri, 2005-03-11 at 10:41, Dimitri Yioulos wrote:
> Sorry for any confusion I may be causing.  Here's a little more info.:
> 
> I've aliased my Web and mail server public addresses to eth0:0 and eth0:1
> (eth0 being the external interface).  I think I've read that this isn't the
> optimal set-up, but it does work.  That shouldn't matter, should it?
> 
> The key here may be in omitting a NAT postrouting rule (sorry if the
> terminology is incorrect).  Here's what I have:
> 
> IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \
> -j DNAT --to-destination $DMZ_HTTP_IP
> IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SMTP_IP --dport 25 \
> -j DNAT --to-destination $DMZ_SMTP_IP
> IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $SMTP_IP --dport 25 \
> -j DNAT --to-destination $DMZ_SMTP_IP
> IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SMTP_IP --dport \
> 110 -j DNAT --to-destination $DMZ_SMTP_IP
> IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $SMTP_IP --dport \
> 110 -j DNAT --to-destination $DMZ_SMTP_IP
> IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
> 
> in that order.  I will change the last rule to include -s $INSIDE_NET.  I
> also notice that I don't have the outbound one-to-one NAT for web or mail
> servers. So, if I add: 
> 
> IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $WEB_SRV_PRIV_IP \
> -j SNAT --to-source $WEB_SRV_PUB_IP 
> 
> and
> 
> IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $MAIL_SRV_PRIV_IP \
> -j SNAT --to-source $MAIL_SRV_PUB_IP
> 
> just after the outbound many-to-one NAT for inside net as above, will I be
> good?

yes.

> Thanks so much for your time.

no prob.

-j

--
"It takes two to lie. One to lie and one to listen."
	--The Simpsons

Re: NAT question

[John A. Sullivan III]

On Fri, 2005-03-11 at 07:43 -0500, Dimitri Yioulos wrote:
> Hello, all.
> 
>  
> 
> I've recently set up iptables-1.2.8-12.3 on a CentOS 3.4 (RHEL AS 3) box.
> Among other things, I've created a DMZ where my Web and mail servers live.
> My problem is that my Web and mail servers identify themselves with the NAT
> ip address that I've assigned   Here's my NAT rule:
> 
>  
> 
>  IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
> 
>  
> 
> How can I get these two servers to identify themselves by their own ip
> addresses and still provide NAT for my users?
> 
>  
> 
> Hope I've provided enough info., and my question isn't too lame.
> 
>  
> 
> Many thanks.
<snip>
Certainly we want to welcome and help beginners.  It was a very good
choice to place these public devices behind a firewall rather than
directly on the Internet.  For your own sake, you may want to learn a
little more about NAT so that, armed with the information we give you,
you don't accidentally hurt yourself by some other lack of information.
I do not know a good resource for NAT off the top of my head but for how
iptables NAT works, I started with Oskar Andreasson's great tutorial at
 http://iptables-tutorial.frozentux.net/iptables-tutorial.html
There are also some slightly dated slide shows in the training section
of the ISCS network security management project at
http://iscs.sourceforge.net

On to the specific problem.  To allow inbound NAT (DNAT), you need to do
several things.  First, ensure that you indeed have available public
addresses that you can assign to the DMZ devices.

Next, you will want to bind these two separate addresses (and separate
from your firewall's address) to the firewall's public interface using
iproute2 (see the slideshow about iproute2 on
http://iscs.sourceforge.net).

ip address add x.x.x.?/<masklength> dev eth $INET_INTERFACE
for example ip address add 1.1.1.2/24 dev eth0

Next, you will need to create DNAT rules for each so that the public
address of the public servers is changed to the private address, e.g., 

iptables -t nat -A PREROUTING -d 1.1.1.2 -i $INET_IF -j DNAT --to-
destination 192.168.1.2

If you also want to have those devices use their assigned addresses for
traffic they initiate, you will want a corresponding SNAT rule, e.g., 

iptables -t nat -I POSTROUTING 1 -s 192.168.1.2 -o $INET_IF -j SNAT --
to-source 1.1.1.2

Note that we want this rule to be processed before the general user SNAT
rule.

Finally, you will need rules in the FORWARD chain of the filter table to
allow the DNAT traffic to the DMZ devices using the private address,
e.g., 

iptables -A FORWARD -d 192.168.1.2 -p 6 --dport 80 -j ACCEPT

Finally, there are some DNS issues for your internal users and several
different possible ways to address them.  I believe the issues are
clearly articulated in Oskar's tutorial and he proposes a single DNS
solution.  I have typically used split DNS.

You may also want some general protection rules to stop general attacks
and spoofing.  There are lots of good sources for this.  I think
Shorewall publishes lots of good scripts for such protection.  Some
rules have been posted in the archives.  If you take a look in the CVS
for the ISCS project, you will find the iptables.boot and
iptables.boot.local files.  These contain the general protection rules I
use as well as anti-spoofing rules to prevent both inbound and outbound
(i.e., being a good Internet citizen) spoofing rules.

For an early morning answer after cleaning up a full mug of spilled
coffee and the dog's epileptic seizure, that's all I think you need off
the top of my head.  Good luck - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: NAT question

[Kiran Kumar Immidi]

[-- Attachment #1: Type: text/html, Size: 1407 bytes --]

Re: NAT question

[Henrik Nordstrom]

On Wed, 30 Jun 2004, Kiran Kumar Immidi wrote:

> Suppose I have connections from A and B (both with coincidentally the same local port, say 3000),
> both connecting to the same dest ip, port (say D:80). Now both are SNATted at C. Firstly, Is this possible?

Yes, but one of them will be assigned another local port after the SNAT 
(SNAT gateway <-> web server)

> Then how about ICMP, suppose A and B send ICMP echo request to a machine D, and the
> requests are NATted at C, the reply in both cases would be from D to C. Then would this be
> allowed?

There is magics with the request number for these. Is in all aspects 
similar to the port number of TCP/UDP except that there is only one (not 
source+destinattion).

Regards
Henrik

NAT question

[Kiran Kumar Immidi]

Hi,
  When packets are being masqueraded from multiple machines through a NAT box,
how would the response be identified as part of a particular connection. So, if
we have (identical, as regards port numbers and dest ip address) packets from A
and B snatted at C, how is the reply (to C) identified as belonging to either A
or B? There does not seem to be any information in the packet to distinguish it.
Regards,
Kiran Kumar Immidi

---- Cool Things Happen When Mac Users Meet! Join the community in Boston this July: www.macworldexpo.com

Re: NAT question

[Henrik Nordstrom]

On Wed, 30 Jun 2004, Kiran Kumar Immidi wrote:

> When packets are being masqueraded from multiple machines through a NAT box,
> how would the response be identified as part of a particular connection.

By it's ip:port tuple (both source and destination).

> So, if we have (identical, as regards port numbers and dest ip address)
> packets from A and B snatted at C, how is the reply (to C) identified as
> belonging to either A or B?

By which port on C the reply traffic is addressed to.

The NAT engine always guarantees that at least one field in the address 
tuple (source ip,port destination ip,port) is different as required to 
correctly identify individual connections for all involved.

Regards
Henrk

Re: NAT question

[Vijaya Chandra Vupputuri]

If A and B send packets to a server, say google.com:80 using the local
port 10000, when the pkts get SNATed on C, the source ports would be
different from 10000 (21000 and 32000 for example) and when google.com
sends back the packets to those new port numbers, conntrack would change
the dst-port numbers to 10000 along with the dst-ip address.

Regards,
Vijaya Chandra Vupputuri,
Tachyon Technologies. 

On Wed, 2004-06-30 at 17:06, Kiran Kumar Immidi wrote:
> Hi,
>   When packets are being masqueraded from multiple machines through a NAT box,
> how would the response be identified as part of a particular connection. So, if
> we have (identical, as regards port numbers and dest ip address) packets from A
> and B snatted at C, how is the reply (to C) identified as belonging to either A
> or B? There does not seem to be any information in the packet to distinguish it.
> Regards,
> Kiran Kumar Immidi
> 
> ---- Cool Things Happen When Mac Users Meet! Join the community in Boston this July: www.macworldexpo.com
> 
> 

NAT question

[Ray Blair]

I am trying to set up my NAT box to permit CORBA traffic.  I am running 
the demo programs provided by jacorb 1.4.1

If I have the server on the unprotected network and the client inside, 
the programs works fine. When I swap roles, I can't get the outside 
client to connect to the server on the protected network.

The inside address 192.168.10.X is translated to an unused address on 
the external network.  We are using the jacorb property "proxy host" to 
inform the external client to use the translated IP (1.1.1.1) to contact 
the server.  When the internal server tries to contact itself it uses 
the translated address (1.1.1.1) not the internal address and is not 
successful.

I can't seem to configure the NAT box to redirect the traffic from the 
inside IP that is destined for the translated address back to itself. 
Is there a kernel option that is preventing this from happening?  i 
think my rules are configured correctly.

thanks

ray

RE: NAT question

[Philippe Dhont (Sea-ro)]

Hi,

1) Yesterday everything worked with the SNAT rule and today i moved the
firewall to it's new location, changed the ip-address and added some routes.
I test with a NT4 on the side of eth0 that pings to a location on the eth1
side.
now, sometimes i can see that it works, via tcpdump i see that the SNAT rule
works and when i then flush my tables and restart the firewall script, it's
not working anymore ?????
and then i can see via tcpdump that the firewall is just trying the
ip_forwarding ?????
So this means that the packet is not even coming to the SNAT rule ??? and
then sometimes it is, how is this possible ??

2) my ip_forwarding is enabled in the kernel but this should not be a
problem. yesterday everything worked on my test location.

3) do i need ip_forwarding for NATing ?

thnx for the help!

regards,

	--tronstr@xsomic--







Le mer 09/04/2003 à 11:51, Philippe Dhont (Sea-ro) a écrit :
> I added 
> $IPTABLES -t nat -A POSTROUTING -j SNAT --to-source 10.165.165.165 
> Now when i ping from 10.51.13.13 on eth0 side to 10.165.1.60 then i can
see
> via tcpdump that on eth1 the 10.165.1.60 is seeking the 10.165.165.165 
> "arp who-has 10.165.165.165 tell 10.165.1.60" is what i get.
> So i guess that this means that iptables changed the address ?

As far as I understand your configuration, eth0's side is NATed when
talking to eth1's side.

If so, yes, Netfilter as already changed the address. That's obvious.
Your echo request has crossed the box, and has been source NATed to
10.165.165.165. Then 10.165.1.60 receive it and tries to reply. It
replies to 10.165.165.165. Nothing special in there, everything's
normal.

But on eth1's side, nobody answers ARP requests for 10.165.165.165. So
you did not configured your firewall to answer them. That's the issue.

> So the firewall doesn't knows that it converted the ip number before and
> can't send a reply to the correct ip address where it originally came from

He knows about this. But it is not its job to answer ARP requests. It's
your job to configure it as such.

> How can i make this work so that if i ping to 10.165.1.60 that i can get a
> reply ?

	ip addr add 10.165.165.165 dev eth1

So your firewall answers ARP requests for 10.165.165.165.

> AND that the NAT thing did its work ?

It did it well.

NAT question

[Philippe Dhont (Sea-ro)]

I added 
$IPTABLES -t nat -A POSTROUTING -j SNAT --to-source 10.165.165.165 

Now when i ping from 10.51.13.13 on eth0 side to 10.165.1.60 then i can see
via tcpdump that on eth1 the 10.165.1.60 is seeking the 10.165.165.165 
"arp who-has 10.165.165.165 tell 10.165.1.60" is what i get.
So i guess that this means that iptables changed the address ?
So the firewall doesn't knows that it converted the ip number before and
can't send a reply to the correct ip address where it originally came from

How can i make this work so that if i ping to 10.165.1.60 that i can get a
reply ?
AND that the NAT thing did its work ?
And no, i can't use ipforwarding because of a security issue.

Regards,


	--tronstr@xsomic--

Re: NAT question

[Cedric Blancher]

Le mer 09/04/2003 à 11:51, Philippe Dhont (Sea-ro) a écrit :
> I added 
> $IPTABLES -t nat -A POSTROUTING -j SNAT --to-source 10.165.165.165 
> Now when i ping from 10.51.13.13 on eth0 side to 10.165.1.60 then i can see
> via tcpdump that on eth1 the 10.165.1.60 is seeking the 10.165.165.165 
> "arp who-has 10.165.165.165 tell 10.165.1.60" is what i get.
> So i guess that this means that iptables changed the address ?

As far as I understand your configuration, eth0's side is NATed when
talking to eth1's side.

If so, yes, Netfilter as already changed the address. That's obvious.
Your echo request has crossed the box, and has been source NATed to
10.165.165.165. Then 10.165.1.60 receive it and tries to reply. It
replies to 10.165.165.165. Nothing special in there, everything's
normal.

But on eth1's side, nobody answers ARP requests for 10.165.165.165. So
you did not configured your firewall to answer them. That's the issue.

> So the firewall doesn't knows that it converted the ip number before and
> can't send a reply to the correct ip address where it originally came from

He knows about this. But it is not its job to answer ARP requests. It's
your job to configure it as such.

> How can i make this work so that if i ping to 10.165.1.60 that i can get a
> reply ?

	ip addr add 10.165.165.165 dev eth1

So your firewall answers ARP requests for 10.165.165.165.

> AND that the NAT thing did its work ?

It did it well.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE