* help with fast nat
@ 2005-04-13 19:45 Stephen Beck
2005-04-14 0:25 ` Taylor Grant
2005-04-14 7:42 ` Filip Sneppe
0 siblings, 2 replies; 3+ messages in thread
From: Stephen Beck @ 2005-04-13 19:45 UTC (permalink / raw)
To: netfilter
if this is the wrong place to ask this please just send me a better
choice. Ime trying to set a router to do source NAT with a fixed
translation table as i believe to be common with firewalls.
in the testing stage my:
inside net is 10.0.30.0/24
outside net is 10.0.31.0/24
the router itself is running RH advanced server 4 mostly 'out of the
box' and on boot logs:
Linux version 2.6.9-5.ELsmp (bhcompile@decompose.build.redhat.com) (gcc
version 3.4.3 20041212 (Red Hat 3.4.3-9.EL4)) #1 SMP Wed Jan 5 19:30:39
EST 2005
the router is ip 199.218.109.251 and its outside router is a cisco 6513.
for testing the cisco is forwarding 10.0.30.0/24 and 10.0.31.0/24 to the
251 ip.
router interfaces (of intrest) :
eth2 Link encap:Ethernet HWaddr 00:0F:1F:66:2D:8B
inet addr:199.218.109.251 Bcast:199.218.109.255
Mask:255.255.255.0
inet6 addr: fe80::20f:1fff:fe66:2d8b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth3.930 Link encap:Ethernet HWaddr 00:0F:1F:66:2D:8C
inet addr:10.0.30.1 Bcast:10.255.255.255 Mask:255.255.255.0
inet6 addr: fe80::20f:1fff:fe66:2d8c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
for testing I have flushed iptables: iptables -F
have: echo "1" > /proc/sys/net/ipv4/ip_forward
[root@dorm-test ~]# ip route show
10.0.30.0/24 dev eth3.930 proto kernel scope link src 10.0.30.1
199.218.109.0/24 dev eth2 proto kernel scope link src 199.218.109.251
default via 199.218.109.1 dev eth2
[root@dorm-test ~]#
[root@dorm-test ~]# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
[root@dorm-test ~]#
at this point a pc on the inside running 10.0.30.5 (static)
can ping my desktop (on anouther segment also off the cisco)
tcp dumps along the way show icmp requests and replys as expected.
then i :
[root@dorm-test ~]# ip route add 10.0.31.5/32 via 10.0.30.5
[root@dorm-test ~]# ip rule add from 10.0.30.5 nat 10.0.31.5
[root@dorm-test ~]# ip route flush cache
[root@dorm-test ~]#
the pings stop.
on the router input i can see the requests still comming with.
[root@dorm-test ~]# tcpdump -nn -i eth3.930
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3.930, link-type EN10MB (Ethernet), capture size 96 bytes
15:34:06.474482 IP 10.0.30.5 > *.*.146.31: icmp 64: echo request seq 2251
but all is quiet on eth2 and my desktop sees nothing.
after tests:
[root@dorm-test ~]# ip route show
10.0.31.5 via 10.0.30.5 dev eth3.930
10.0.30.0/24 dev eth3.930 proto kernel scope link src 10.0.30.1
199.218.109.0/24 dev eth2 proto kernel scope link src 199.218.109.251
default via 199.218.109.1 dev eth2
[root@dorm-test ~]# ip rule show
0: from all lookup local
32765: from 10.0.30.5 lookup main map-to 10.0.31.5
32766: from all lookup main
32767: from all lookup default
[
can anyone get me on to the next step:
Thankyou, Stephen Beck, Marietta College.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: help with fast nat
2005-04-13 19:45 help with fast nat Stephen Beck
@ 2005-04-14 0:25 ` Taylor Grant
2005-04-14 7:42 ` Filip Sneppe
1 sibling, 0 replies; 3+ messages in thread
From: Taylor Grant @ 2005-04-14 0:25 UTC (permalink / raw)
To: Stephen Beck; +Cc: netfilter
What system is doing the pinging (IP / subnet) and what is it pining (IP / subnet)?
> [root@dorm-test ~]# ip route add 10.0.31.5/32 via 10.0.30.5
If you were pinging 10.0.31.5 passing through this router where 10.0.31.x/24 was on a different subnet and you told this router that 10.0.31.5 was accessible via 10.0.30.5 (the system doing the ping) you just told the router to loop the traffic back on the system doing the pinging.
> [root@dorm-test ~]# ip rule add from 10.0.30.5 nat 10.0.31.5
I'm not sure what you are hoping to accomplish by doing this. This will make any traffic coming from 10.0.30.5 (the system doing the pinging?) appear as if it is coming from 10.0.31.5 which would cause the router to send the traffic back to the 10.0.31.x/24 network.
I have a feeling what you might have done (if I understand what you have written here correctly) is effectively do a double loop back as in the 10.0.30.5 system's traffic loops back on it's self at the router as does the 10.0.31.5 system's traffic loop back on it's self at the router too.
There really is not enough information to try to help you, but based on what I have seen this is what I deduce. I hope that will help you in some way.
Grant. . . .
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: help with fast nat
2005-04-13 19:45 help with fast nat Stephen Beck
2005-04-14 0:25 ` Taylor Grant
@ 2005-04-14 7:42 ` Filip Sneppe
1 sibling, 0 replies; 3+ messages in thread
From: Filip Sneppe @ 2005-04-14 7:42 UTC (permalink / raw)
To: Stephen Beck; +Cc: netfilter
Hi Stephen,
On 4/13/05, Stephen Beck <becks@marietta.edu> wrote:
>
> can anyone get me on to the next step:
>
Unfortionately, "fast nat" is broken on 2.6 kernels, due to the ipsec code
that went in. It should actually be removed. Apparently, even RH 2.4 kernels
with the ipsec code are broken:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126611
See also:
http://mailman.ds9a.nl/pipermail/lartc/2004q4/014307.html
And the thread at:
http://marc.theaimsgroup.com/?l=linux-netdev&m=109582576330019&w=2
So I guess you're better off trying something like the NETMAP target
in iptables.
Regards,
Filip
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-04-14 7:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-13 19:45 help with fast nat Stephen Beck
2005-04-14 0:25 ` Taylor Grant
2005-04-14 7:42 ` Filip Sneppe
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.