is it possible to nat to the routed IP?

is it possible to nat to the routed IP?

[Zhen Zhou]

Hi all,

one example network looks like:

        210.153.22.x, 210.153.22.y
                        eth1
                          |
                     gateway
                          |
                        eth0
                  192.168.5.201
                          \
                            \
                              \
                       192.168.5.202
                             eth0
                                  \
                                 router
                                      \
                                     eth4
                                 192.168.3.254
                                          |
                                     Internal
                                          |
                                 192.168.3.208


So is it possible to nat from 210.153.22.y to 192.168.2.208?
If possible, how to do it^[

Thanks a lot,


Zhou

Re: is it possible to nat to the routed IP?

[Rob Sterenborg]

On Tue, December 12, 2006 07:34, Zhen Zhou wrote:
> Hi all,
>
>
> one example network looks like:

[ASCII image skipped)

> So is it possible to nat from 210.153.22.y to 192.168.2.208?
> If possible, how to do it^[

The gateway must have a route for 192.168.2.x set to 192.168.5.202.
The default gateway for the router must be 192.168.5.201.
The default gateway for 192.168.2.208 must be 192.168.3.254.

Packet arrives at 210.153.22.y.
Packet is DNAT-ed to 192.168.2.208.
Gateway sends packet to 192.168.5.202.
Router at 192.168.5.202 routes packet to 192.168.2.208.

Example, http:

$ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -m state --state NEW -d 192.168.2.208 \
  -p tcp --dport 80 -j ACCEPT

$ipt -t nat -A PREROUTING -d 210.153.22.y -p tcp --dport 80 \
  -j DNAT --to 192.168.2.208


Grts,
Rob

Re: is it possible to nat to the routed IP?

[Zhen Zhou]

On 12/12/06, Rob Sterenborg <rob@sterenborg.info> wrote:
>
> On Tue, December 12, 2006 07:34, Zhen Zhou wrote:
> > Hi all,
> >
> >
> > one example network looks like:
>
> [ASCII image skipped)
>
> > So is it possible to nat from 210.153.22.y to 192.168.2.208?
> > If possible, how to do it^[
>
> The gateway must have a route for 192.168.2.x set to 192.168.5.202.
> The default gateway for the router must be 192.168.5.201.
> The default gateway for 192.168.2.208 must be 192.168.3.254.
>
> Packet arrives at 210.153.22.y.
> Packet is DNAT-ed to 192.168.2.208.
> Gateway sends packet to 192.168.5.202.
> Router at 192.168.5.202 routes packet to 192.168.2.208.
>
> Example, http:
>
> $ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> $ipt -A FORWARD -m state --state NEW -d 192.168.2.208 \
>   -p tcp --dport 80 -j ACCEPT
>
> $ipt -t nat -A PREROUTING -d 210.153.22.y -p tcp --dport 80 \
>   -j DNAT --to 192.168.2.208
>
>
> Grts,
> Rob
>

Thanks a lot, now it works perfect.

Now the another issue is coming:

before we monitor the gateway network traffic via snmp, because I
assign 210.153.22.y to eth1, so I get snmp figure from eth1, and then
draw the network traffic, but  I am lazy to IP alias, so I use:
ip addr add 210.153.22.y dev eth1

Ofcs, the result is that I couldn't monitor it via snmp, at this kind
status, how could I monitor network traffic?

any tips, thanks a lot,

Zhou

RE: is it possible to nat to the routed IP?

[Rob Sterenborg]

> Thanks a lot, now it works perfect.
> 
> Now the another issue is coming:
> 
> before we monitor the gateway network traffic via snmp, because I
> assign 210.153.22.y to eth1, so I get snmp figure from eth1, and then
> draw the network traffic, but  I am lazy to IP alias, so I use:
> ip addr add 210.153.22.y dev eth1
> 
> Ofcs, the result is that I couldn't monitor it via snmp, at this kind
> status, how could I monitor network traffic?
> 
> any tips, thanks a lot,

I'm not sure but I thought traffic statistics were related to the NIC,
not to an IP address, so you might not be able to do this..
There may be an application that can however, but I'm not aware of it.
Maybe someone else is.


Grts,
Rob

Re: is it possible to nat to the routed IP?

[Zhen Zhou]

On 12/12/06, Rob Sterenborg <rob@sterenborg.info> wrote:
>
> On Tue, December 12, 2006 07:34, Zhen Zhou wrote:
> > Hi all,
> > one example network looks like:
>
> [ASCII image skipped)
>
> > So is it possible to nat from 210.153.22.y to 192.168.2.208?
> > If possible, how to do it^[
>
> The gateway must have a route for 192.168.2.x set to 192.168.5.202.
> The default gateway for the router must be 192.168.5.201.
> The default gateway for 192.168.2.208 must be 192.168.3.254.
>
> Packet arrives at 210.153.22.y.
> Packet is DNAT-ed to 192.168.2.208.
> Gateway sends packet to 192.168.5.202.
> Router at 192.168.5.202 routes packet to 192.168.2.208.
>
> Example, http:
>
> $ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> $ipt -A FORWARD -m state --state NEW -d 192.168.2.208 \
>   -p tcp --dport 80 -j ACCEPT
>
> $ipt -t nat -A PREROUTING -d 210.153.22.y -p tcp --dport 80 \
>   -j DNAT --to 192.168.2.208
>
>
> Grts,
> Rob

Now another issue is pop up:

210.153.22.x is Internet gateway IP, 210.153.22.y is a public ip for
publish 192.168.3.208.
ofcs, from Internet traffic to 192.168.3.208, is go through 210.153.22.y.
But in the another hand all the traffic from 192.168.3.208 to outside,
it will go to 210.153.22.x, could it be a possible go via 210.153.22.y
under some protocols?
How to configure?

Any tips will be appreciated.

Zhou

RE: is it possible to nat to the routed IP?

[Rob Sterenborg]

>> Packet arrives at 210.153.22.y.
>> Packet is DNAT-ed to 192.168.2.208.
>> Gateway sends packet to 192.168.5.202.
>> Router at 192.168.5.202 routes packet to 192.168.2.208.
>> 
>> Example, http:
>> 
>> $ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>> $ipt -A FORWARD -m state --state NEW -d 192.168.2.208 \   -p tcp
>> --dport 80 -j ACCEPT 
>> 
>> $ipt -t nat -A PREROUTING -d 210.153.22.y -p tcp --dport 80 \   -j
>> DNAT --to 192.168.2.208 
>> 
>> 
>> Grts,
>> Rob
> 
> Now another issue is pop up:
> 
> 210.153.22.x is Internet gateway IP, 210.153.22.y is a public ip for
> publish 192.168.3.208. ofcs, from Internet traffic to 192.168.3.208,
> is go through 210.153.22.y. But in the another hand all the traffic
> from 192.168.3.208 to outside, it will go to 210.153.22.x, could it
> be a possible go via 210.153.22.y under some protocols? How to
> configure? 

That would depend on your rules at the gateway.

Taking http as example again.
A http connection is made to the server at destination port 80/tcp. This
is a grep of what it looks like using netstat -ant:

Proto Recv-Q Send-Q Local Address    Remote Address   State
tcp        0      0 172.16.2.254:80  172.16.2.1:1191  ESTABLISHED 
tcp        0      0 172.16.2.254:80  172.16.2.1:1190  ESTABLISHED 

So, return packets are coming from source port 80/tcp.
I think this is what you want:

$ipt -t nat -A POSTROUTING -s 192.168.2.208 -p tcp --sport 80 \
  -j SNAT 210.153.22.y
$ipt -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT 210.153.22.x

Packets from 192.168.2.208:80 are SNAT-ed to 210.153.22.y and all other
packets are SNAT-ed to 210.153.22.x.


Gr,
Rob

Re: is it possible to nat to the routed IP?

[Pascal Hambourg]

Hello,

Rob Sterenborg a écrit :
>>>
>>>$ipt -t nat -A PREROUTING -d 210.153.22.y -p tcp --dport 80 \   -j
>>>DNAT --to 192.168.2.208 
>
>Zhen Zhou wrote:
>>
>>Now another issue is pop up:
>>
>>210.153.22.x is Internet gateway IP, 210.153.22.y is a public ip for
>>publish 192.168.3.208. ofcs, from Internet traffic to 192.168.3.208,
>>is go through 210.153.22.y. But in the another hand all the traffic
>>from 192.168.3.208 to outside, it will go to 210.153.22.x, could it
>>be a possible go via 210.153.22.y under some protocols? How to
>>configure? 

Insert this kind of rule before the generic SNAT rule :

$ipt -t nat -A POSTROUTING -o <interface> -s 192.168.2.208 -p <proto> \
   [--dport <port>] -j SNAT --to 210.153.22.y

[...]
> A http connection is made to the server at destination port 80/tcp.
> [...] So, return packets are coming from source port 80/tcp.
> I think this is what you want:
> 
> $ipt -t nat -A POSTROUTING -s 192.168.2.208 -p tcp --sport 80 \
>   -j SNAT 210.153.22.y

This rule is useless to handle HTTP return packets. Return packets are 
in the ESTABLISHED state and don't traverse the 'nat' chains.

> Packets from 192.168.2.208:80 are SNAT-ed to 210.153.22.y

Yes, but not because of this SNAT rule but because of the DNAT rule 
above and because stateful DNAT does implicit SNAT on return packets.

Re: is it possible to nat to the routed IP?

[Zhen Zhou]

On 12/16/06, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
>
> Rob Sterenborg a écrit :
> >>>
> >>>$ipt -t nat -A PREROUTING -d 210.153.22.y -p tcp --dport 80 \   -j
> >>>DNAT --to 192.168.2.208
> >
> >Zhen Zhou wrote:
> >>
> >>Now another issue is pop up:
> >>
> >>210.153.22.x is Internet gateway IP, 210.153.22.y is a public ip for
> >>publish 192.168.3.208. ofcs, from Internet traffic to 192.168.3.208,
> >>is go through 210.153.22.y. But in the another hand all the traffic
> >>from 192.168.3.208 to outside, it will go to 210.153.22.x, could it
> >>be a possible go via 210.153.22.y under some protocols? How to
> >>configure?
>
> Insert this kind of rule before the generic SNAT rule :
>
> $ipt -t nat -A POSTROUTING -o <interface> -s 192.168.2.208 -p <proto> \
>    [--dport <port>] -j SNAT --to 210.153.22.y
>
> [...]
> > A http connection is made to the server at destination port 80/tcp.
> > [...] So, return packets are coming from source port 80/tcp.
> > I think this is what you want:
> >
> > $ipt -t nat -A POSTROUTING -s 192.168.2.208 -p tcp --sport 80 \
> >   -j SNAT 210.153.22.y
>
> This rule is useless to handle HTTP return packets. Return packets are
> in the ESTABLISHED state and don't traverse the 'nat' chains.
>
> > Packets from 192.168.2.208:80 are SNAT-ed to 210.153.22.y
>
> Yes, but not because of this SNAT rule but because of the DNAT rule
> above and because stateful DNAT does implicit SNAT on return packets.
>

Thanks for your help, but the issue is still there, so I post what I
add iptables rules in the system then we could analyze where is the
issue:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state NEW -d 192.168.3.208 -p tcp
--dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -d 210.153.22.y -p tcp --dport 80 -j
DNAT --to 192.168.3.208
iptables -t nat -A POSTROUTING -o 210.153.22.y -s 192.168.3.208 -p tcp
--sport 80 -j SNAT --to 210.153.22.y

I assign:
ip addr add 210.153.22.y dev eth1 label eth1:1

in the another hand, I want to track the network link when I access
web to some sites, nothing show me via:
netstat -ant | grep 192.168.3.208
nothing .....

Maybe eth1:1 couldn't show on this way? is it?

Maybe that is the issue, but I couldn't find any idea how to deal, any tips, TIA

Zhou

Re: is it possible to nat to the routed IP?

[Pascal Hambourg]

Zhen Zhou a écrit :
> On 12/16/06, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
>>
>> Insert this kind of rule before the generic SNAT rule :
>>
>> $ipt -t nat -A POSTROUTING -o <interface> -s 192.168.2.208 -p <proto> \
>>    [--dport <port>] -j SNAT --to 210.153.22.y
> 
> Thanks for your help, but the issue is still there, so I post what I
> add iptables rules in the system then we could analyze where is the
> issue:
> 
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -m state --state NEW -d 192.168.3.208 -p tcp
> --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -d 210.153.22.y -p tcp --dport 80 -j
> DNAT --to 192.168.3.208

So far so good.

> iptables -t nat -A POSTROUTING -o 210.153.22.y -s 192.168.3.208 -p tcp
> --sport 80 -j SNAT --to 210.153.22.y

The -o (output interface) option takes a network interface name, not an 
IP address. Also, why do you match on source port 80 ? NAT rules can 
match only packets in the NEW state opening a new connection, but TCP 
packets with source port 80 are usually return packets (thus in 
ESTABLISHED state) from a web server.

> I assign:
> ip addr add 210.153.22.y dev eth1 label eth1:1
> 
> in the another hand, I want to track the network link when I access
> web to some sites, nothing show me via:
> netstat -ant | grep 192.168.3.208
> nothing .....

netstat shows only the state of local sockets, not forwarded 
connections. To see the the state of all tracked connections (incoming, 
outgoing and forwarded), use :

cat /proc/net/ip_conntrack