From: Dan Ferris <dan@usrsbin.com>
To: netfilter@lists.netfilter.org
Subject: 1:1 NAT Help
Date: Mon, 07 Aug 2006 12:56:07 -0600 [thread overview]
Message-ID: <44D78CC7.5020607@usrsbin.com> (raw)
Dear List,
I have search Google, and the list archives back to 2003 and have found
little information about this particular problem.
First I present to you two very simplified rules.
iptables -A PREROUTING -i eth2 -d 204.184.20.221 -j DNAT --to 10.2.253.21
and
iptables -A POSTROUTING -o eth2 -s 10.2.253.21 -j SNAT --to 204.184.20.221
Having never really delt with 1:1 NAT before, I thought this would "just
work". However, it does not work. The SNAT rule works fine. The DNAT
rule does not work at all. I don't even see packets hitting it.
A few other pieces of information:
1. Proxy arp does not seem to be a problem. When I SSH to the external
IP, I can see the ethernet frames coming into the ethernet interface.
2. I have tried doing: ip addr add 204.184.20.221 dev eth2 and it still
won't work.
We have an old POS box running Debian with Shorewall and kernel 2.4 that
works perfectly with the 1:1 NAT rules. However, the friend I am
helping does not want to use Shorewall, as she wishes to learn iptables
the old fashioned way. The only difference between the old Debian
firewall and the new one is the the new one is running CentOS and the
2.6 kernel.
The old firewall that works has proxy arp turned off and rp_filter
turned on. The new firewall has proxy arp turned off and rp_filter
turned on.
I'm really lost and I used to think I was decent at iptables. So if
anybody can help it would be appreciated.
Thank you!
Dan
next reply other threads:[~2006-08-07 18:56 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-07 18:56 Dan Ferris [this message]
2006-08-08 7:51 ` 1:1 NAT Help Sietse van Zanen
2006-08-08 12:14 ` Dan Ferris
2006-08-08 12:25 ` Sietse van Zanen
2006-08-08 12:37 ` Dan Ferris
2006-08-08 12:51 ` Sietse van Zanen
2006-08-08 15:46 ` Dan Ferris
-- strict thread matches above, loose matches on Subject: below --
2006-08-08 14:43 Robert LeBlanc
2006-08-07 17:05 1:1 NAT help Dan Ferris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44D78CC7.5020607@usrsbin.com \
--to=dan@usrsbin.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.