From: "Paul M. Goorskis" <pmg@rimako.lv>
To: netfilter@lists.netfilter.org
Subject: DNAT problem
Date: Thu, 10 Jun 2004 14:03:11 +0300 [thread overview]
Message-ID: <40C83FEF.4050502@rimako.lv> (raw)
Hello list!
Problem: forward from branch office address 10.1.12.146 to 192.168.130.15 on internal network
I'm stuck
It's not DNAT'ing...
Main office using 192.168.0.0/16 for internal needs and 10.23.17.0/24 to communicate with branch office
Branch office using 10.0.0.0/8
versions:
iptables v1.2.7a
kernel 2.4.20
+-------------+ +-----------+
|BRANCH VPN +----------+10.1.12.146|
|10.23.254.249|eth1 +-----------+
+----+--------+
|eth0
+--------+ |
|Internet+-----+
+--------+
|
|eth0 (213.175.70.195)
+---------------+ eth2+------+ +------------------+
|192.168.130.15 +----------------------+ROUTER+------------+VPN 213.175.70.198|
+---------------+ +------+eth1 | 10.23.254.250 |
| 10.23.17.0/0 |
+------------------+
BRANCH VPN:
route add -net 10.23.17.0/24 gw 10.23.254.250 dev tunl1
VPN:
route add -net 10.23.17.0/24 gw ROUTER
route add -net 10.0.0.0/8 gw 10.23.254.249 dev tunl1
ROUTER:
route add -net 10.0.0.0/8 gw VPN
iptables -t nat -A PREROUTING -i eth1 -s 10.1.12.146 -d 10.23.17.99 -j DNAT --to-destination 192.168.130.15
iptables -A FORWARD -s 10.1.12.146 -d 192.168.130.15 -i eth1 -o eth2 -j ACCEPT
iptables -A FORWARD -d 10.1.12.146 -s 192.168.130.15 -o eth1 -i eth2 -j ACCEPT
Ok, here it goes:
packet started traveling from 10.1.12.146 with DST=10.23.17.99
packet arrived at BRANCH VPN with TTL=27
packet arrived at VPN with TTL=26
packet arrived at ROUTER with TTL=25
and here comes troubles... instead of DNAT'ing connection to 192.168.130.15 and routing
it via eth2 it routes it's not DNAT'ing but sending packet as if it final destination
is 10.23.17.99 via eth1 to VPN box. Not a big surprise that VPN box routes this packet
back to ROUTER. Finaly ping-pong ends at ROUTER with TTL=1 going nowhere. What i'm doing wrong?
I got bunch of similar rules working OK. Just stuck with this one.
Help! :)
Thank you!
next reply other threads:[~2004-06-10 11:03 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-10 11:03 Paul M. Goorskis [this message]
[not found] <45227670.8040702@mail.nankai.edu.cn>
2006-10-03 14:48 ` DNAT problem Marco Berizzi
[not found] <4521C6A3.1040902@mail.nankai.edu.cn>
2006-10-03 10:11 ` Marco Berizzi
-- strict thread matches above, loose matches on Subject: below --
2006-10-02 8:00 Stefan Friedel
2006-10-02 8:25 ` Marco Berizzi
2006-10-02 10:42 ` Pascal Hambourg
2006-10-02 12:01 ` Stefan Friedel
2006-10-02 12:51 ` Marco Berizzi
2006-10-02 13:14 ` Pascal Hambourg
2006-10-02 14:18 ` Stefan Friedel
2006-10-02 12:48 ` Marco Berizzi
2006-07-08 21:00 Antonio Di Bacco
2005-01-22 15:59 dnat problem Pablo Allietti
2005-01-22 19:45 ` Jason Opperisano
2005-01-23 0:26 ` Pablo Allietti
[not found] ` <20050125150114.GA25839@omega.lacnic.net.uy>
2005-01-25 15:24 ` Pablo Allietti
2005-01-25 15:25 ` Pablo Allietti
2004-05-29 15:25 DNAT problem Patrick Leslie Polzer
2004-05-29 15:36 ` Alexis
2004-05-29 16:03 ` Patrick Leslie Polzer
2004-05-30 1:00 ` Alexis
2004-04-27 5:57 [Fwd: Re: DNAT Problem] test
2004-04-27 7:20 ` DNAT Problem Rob Sterenborg
[not found] ` <1081.80.0.0.23.1083127867.squirrel@80.0.0.175>
[not found] ` <000901c42cef$68603d40$1202a8c0@admin>
2004-05-04 5:32 ` test
2004-04-19 5:07 test
2004-04-19 13:43 ` Joel Newkirk
2004-04-20 4:31 ` test
2004-04-22 10:40 ` test
2004-04-22 11:07 ` Antony Stone
[not found] ` <1589.80.0.0.23.1082637754.squirrel@80.0.0.175>
2004-04-22 12:47 ` Antony Stone
2004-04-22 13:06 ` test
2004-04-22 13:21 ` Antony Stone
2004-04-22 18:18 ` test
2004-04-22 19:13 ` Antony Stone
2004-04-23 12:22 ` test
2003-03-30 14:58 DNAT problem Alexandru Coseru
2003-03-30 15:41 ` Joel Newkirk
2002-11-27 19:28 Geoff Silver
2002-11-19 8:07 HCLFM
2002-11-21 21:53 ` Rahul Jadhav
2002-05-21 20:53 dnat problem support
2002-06-13 17:28 ` Antony Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40C83FEF.4050502@rimako.lv \
--to=pmg@rimako.lv \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.