Re: 1:1 NAT Help

[Dan Ferris <dan@usrsbin.com>]

That could be, however at the moment, we are using the standard 
Redhat/CentOS iptables startup script.  So I think those modules are there.

I can't work on those boxes again until next week, so I'll do more 
fiddling then. :)

Dan

Sietse van Zanen wrote:
> Seems like a connection trackking problem than.
>  
> Are you sure you have all the modules loaded: ip_conntrack.o etc.?
>  
> try executing these commands (in your firewall script):
> modprobe ip_conntrack 
> modprobe ip_conntrack_ftp 
> modprobe ip_conntrack_nat
> modprobe ip_nat 
> modprobe ip_nat_ftp 
> modprobe iptable_nat 
>
> -Sietse
>
> ________________________________
>
> From: netfilter-bounces@lists.netfilter.org on behalf of Dan Ferris
> Sent: Tue 08-Aug-06 14:37
> To: netfilter@lists.netfilter.org
> Subject: Re: 1:1 NAT Help
>
>
>
> Forwarding is on in /etc/sysctl.conf
>
> As far as I know the routing is correct.  10.2.253.21 lives off of eth1,
> and eth1 has a route for 10.2.0.0/255.255.0.0 (yes it sucks, I didn't
> set up the subnets).
>
> tcpdump shows traffic coming into both of the interfaces, which is why
> this problem is so frustrating.  Oh yes, SNAT works fine.  We can set up
> a ping from the box behind the firewall to ping the Internet gateway,
> and the ping will go through fine.  We can see the replies to
> 204.184.20.221. :(
>
> Dan
>
> Sietse van Zanen wrote:
>   
>> Then, is forwarding alllowed?
>> cat 1 > /proc/sys/net/ipv4/ip_forward
>>
>> And there is a correct route to 10.2.253.21?
>>
>>
>> If both answer to yes, what do you see when you tcpdump on your internal interface on host 10.2.253.21 and try to connect to 204.184.20.221 from the Internet?
>>
>> And what do you see when you tcpdump on your external interface for 204.184.20.221, is traffic reaching your firewall?
>>
>> -Sietse
>>
>> ________________________________
>>
>> From: netfilter-bounces@lists.netfilter.org on behalf of Dan Ferris
>> Sent: Tue 08-Aug-06 14:14
>> To: netfilter@lists.netfilter.org
>> Subject: Re: 1:1 NAT Help
>>
>>
>>
>> Yes, because I cleared all the rules and set everything to accept before
>> testing.
>>
>> Dan
>>
>> Sietse van Zanen wrote:
>>  
>>     
>>> Are you sure, you also allow the connection in the FORWARD chain of the filter table?
>>>
>>> iptables -i eth2 -d 10.2.253.21 -j ACCEPT
>>>
>>> -Sietse
>>>
>>> ________________________________
>>>
>>> From: netfilter-bounces@lists.netfilter.org on behalf of Dan Ferris
>>> Sent: Mon 07-Aug-06 20:56
>>> To: netfilter@lists.netfilter.org
>>> Subject: 1:1 NAT Help
>>>
>>>
>>>
>>> Dear List,
>>>
>>> I have search Google, and the list archives back to 2003 and have found
>>> little information about this particular problem.
>>>
>>> First I present to you two very simplified rules.
>>>
>>> iptables -A PREROUTING -i eth2 -d 204.184.20.221 -j DNAT --to 10.2.253.21
>>>
>>> and
>>>
>>> iptables -A POSTROUTING -o eth2 -s 10.2.253.21 -j SNAT --to 204.184.20.221
>>>
>>> Having never really delt with 1:1 NAT before, I thought this would "just
>>> work".  However, it does not work.  The SNAT rule works fine.  The DNAT
>>> rule does not work at all.  I don't even see packets hitting it.
>>>
>>> A few other pieces of information:
>>>
>>> 1.  Proxy arp does not seem to be a problem.  When I SSH to the external
>>> IP, I can see the ethernet frames coming into the ethernet interface.
>>>
>>> 2.  I have tried doing: ip addr add 204.184.20.221 dev eth2 and it still
>>> won't work.
>>>
>>> We have an old POS box running Debian with Shorewall and kernel 2.4 that
>>> works perfectly with the 1:1 NAT rules.  However, the friend I am
>>> helping does not want to use Shorewall, as she wishes to learn iptables
>>> the old fashioned way.  The only difference between the old Debian
>>> firewall and the new one is the the new one is running CentOS and the
>>> 2.6 kernel.
>>> The old firewall that works has proxy arp turned off and rp_filter
>>> turned on.  The new firewall has proxy arp turned off and rp_filter
>>> turned on.
>>>
>>> I'm really lost and I used to think I was decent at iptables.  So if
>>> anybody can help it would be appreciated.
>>>
>>> Thank you!
>>>
>>> Dan
>>>
>>>
>>>
>>>
>>>
>>>
>>>    
>>>       
>> --
>> What do you call a guy with no legs who is waterskiing?
>>
>>
>> Skip.
>>
>>
>>
>>
>>
>>
>>  
>>     
>
> --
> What do you call a guy with no legs who is waterskiing?
>
>
> Skip.
>
>
>
>
>
>
>   

-- 
What do you call a man with no legs who is waterskiing?




Skip.