From: Frans Luteijn <f.a.g.luteijn@knoware.nl>
To: netfilter@lists.netfilter.org
Subject: nat problem
Date: Tue, 13 Jul 2004 22:40:19 +0200 [thread overview]
Message-ID: <40F448B2.AF1E21@knoware.nl> (raw)
Dear sirs, madams,
I have a little problem, which might be a bug. I have an 3COM
ISDN-router. It broadcasts every 10 seconds its connectionstatus to the
internal net. Now I want to forward those broadcasts to another network.
This is the situation:
+------+ +--------+ +--------+
|ISDN- | | | |Internal|
|router|----|firewall|----|network |
+------+ | | +--------+
+--------+
|
|
|
+------+
|ADSL- |
|router|
+------+
The ISDN-router has 192.168.1.1/24, the ADSL-router has 172.19.3.1/16,
the firewall has at eth0 192.168.1.4, at eth1 172.19.3.2 and at eth2
192.168.2.1. The internal network is 192.168.2.0/24.
The firewall is a Debian-Linux with a 2.4.26 kernel with Nat enabled.
After reading of all the nesesary HOWTO's, I decided that that
forwarding should be done with prerouting. To know what I have to
forward, I have to know what the packets are. I turned logging on for
that interface, and if I can log the packets, I can also manipulate
them.
So I typed:
iptables -t nat -A PREROUTING -i eth0 -j LOG
and waited for the packets to come by. But nothing happened. Althought I
could see some other packets coming in. From my log:
Jul 2 16:38:16 firewall kernel: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:50:04:0e:d9:00:08:00 SRC=192.168.1.3
DST=192.168.1.255 LEN=240 TOS=0x00 PREC=0x00 TTL=32 ID=19499 PROTO=UDP
SPT=138 DPT=138 LEN=220
Jul 2 16:43:40 firewall kernel: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:50:04:0e:d9:00:08:00 SRC=192.168.1.3
DST=192.168.1.255 LEN=240 TOS=0x00 PREC=0x00 TTL=32 ID=19755 PROTO=UDP
SPT=138 DPT=138 LEN=220
Those are from a machine that will be moved to my internal network
Then I typed:
iptables -A INPUT -i eth0 -j LOG
and there were the packets:
Jul 2 16:47:43 firewall kernel: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:08:00:4e:a6:f5:74:08:00 SRC=192.168.1.1
DST=192.168.1.255 LEN=116 TOS=0x00 PREC=0x00 TTL=64 ID=48404 PROTO=UDP
SPT=1025 DPT=2071 LEN=96
Jul 2 16:47:53 firewall kernel: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:08:00:4e:a6:f5:74:08:00 SRC=192.168.1.1
DST=192.168.1.255 LEN=116 TOS=0x00 PREC=0x00 TTL=64 ID=48405 PROTO=UDP
SPT=1025 DPT=2071 LEN=96
Jul 2 16:48:03 firewall kernel: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:08:00:4e:a6:f5:74:08:00 SRC=192.168.1.1
DST=192.168.1.255 LEN=116 TOS=0x00 PREC=0x00 TTL=64 ID=48406 PROTO=UDP
SPT=1025 DPT=2071 LEN=96
In /proc/net/ip_conntrack I can see:
udp 17 27 src=192.168.1.3 dst=192.168.1.255 sport=138 dport=138
[UNREPLIED] src=192.168.1.255 dst=192.168.1.3 sport=138 dport=138 use=1
udp 17 20 src=192.168.1.1 dst=192.168.1.255 sport=1025 dport=2071
[UNREPLIED] src=192.168.1.255 dst=192.168.1.1 sport=2071 dport=1025
use=1
.......
Now are my questions:
am I doing something wrong, e.g. shouldn't it be prerouting;
can't it be done, because of the sourceport and the destport are
different;
is it a bug in the nat-software or is it intended to work that way?
If you need some extra information, I am happily to provide it.
Yours Sincerely,
--
Frans Luteijn
PGP PblKey fprnt=C4 87 CE AF BC B6 98 C1 EF 42 A1 9A E2 C0 42 5B
next reply other threads:[~2004-07-13 20:40 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-13 20:40 Frans Luteijn [this message]
2004-07-13 21:06 ` nat problem Antony Stone
2004-07-13 22:21 ` Frans Luteijn
2004-07-13 22:53 ` Antony Stone
2004-07-13 23:11 ` Nick Taylor
2004-07-14 1:02 ` Frans Luteijn
2004-07-14 8:53 ` Antony Stone
2004-07-14 23:30 ` Frans Luteijn
2004-07-15 8:21 ` Antony Stone
2004-07-19 1:26 ` Frans Luteijn
-- strict thread matches above, loose matches on Subject: below --
2004-07-05 16:33 Frans Luteijn
2004-07-07 13:07 ` Antony Stone
2003-10-06 12:30 NAT problem Jose Pascual
2003-10-06 13:19 ` Venkatesh. K
2003-10-06 13:33 ` Cedric Blancher
2003-10-06 20:38 ` Joel Newkirk
2002-11-22 22:52 nat problem Yogini Parkhi
2002-11-15 20:45 Rahul Jadhav
2002-10-21 13:04 NAT problem saravanan sakthi
2002-10-21 15:15 ` Antony Stone
2002-10-20 23:20 NAT Problem Morgan
2002-06-24 11:11 Nat PROBLEM lcef
2002-06-24 13:34 ` Antony Stone
2002-06-15 22:14 Completely NAT an ISP: A practical possibility? Brian Capouch
2002-06-15 22:33 ` Antony Stone
2002-06-15 23:17 ` Nick Drage
2002-06-17 4:25 ` Sathi
2002-06-17 10:58 ` nat problem umar
2002-06-17 18:11 ` Antony Stone
2002-05-09 4:41 NAT problem Tyler Kemp
2002-06-13 16:03 ` Antony Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40F448B2.AF1E21@knoware.nl \
--to=f.a.g.luteijn@knoware.nl \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.