NAT for multiple non-directly connected subnets

NAT for multiple non-directly connected subnets

[Bradley Kite]

Hi all,

I've been using NAT for my home network (a single /24 RFC1918 address
range) and it has been working well, however I've recently tried
NATing a more complex environment environment as follows:

 Linux Machine:
Internal Interface: 192.168.1.50/30 -> 192.168.1.49/30
External Interface: 81.179.30.111/24

Now, connected off the internal interface is a whole network
consisting of several subnets all linked off each other - ie they are
not directly connected to the linux machine.

The problem I have is that the NAT on the linux box is only actually
nating traffic that comes directly from  192.168.1.49 - the first
upstream router. Any traffic from, for example, 192.168.2.0/24 wont
get natted to  81.179.30.111  as expected. I can see this with tcpdump
- traffic from the directly connected router gets natted, other
traffic is seen (so its not a routing issue) its just not being
natted.

I am using kernel 2.6.18 and this is the rule I'm using for iptables:

iptables --table nat -A POSTROUTING -o eth0 -j SNAT --to-source 81.179.30.111

Is there any thing I am missing with this configuration? Is there some
limitation with doing NAT that only allows directly connected subnets
to be natted?

Any help or suggestions will be much appreciated as I've tried all
configurations that I can think of and I'm at my limit now.

--
Brad.

Re: NAT for multiple non-directly connected subnets

[Matt Zagrabelny]

[-- Attachment #1: Type: text/plain, Size: 1935 bytes --]


On Thu, 2007-11-08 at 21:53 +0000, Bradley Kite wrote:
> Hi all,
> 
> I've been using NAT for my home network (a single /24 RFC1918 address
> range) and it has been working well, however I've recently tried
> NATing a more complex environment environment as follows:
> 
>  Linux Machine:
> Internal Interface: 192.168.1.50/30 -> 192.168.1.49/30

What does the previous line mean? Better explanation please.

> External Interface: 81.179.30.111/24

I assume that this is eth0.

> Now, connected off the internal interface is a whole network
> consisting of several subnets all linked off each other - ie they are
> not directly connected to the linux machine.
> 
> The problem I have is that the NAT on the linux box is only actually
> nating traffic that comes directly from  192.168.1.49 - the first
> upstream router. Any traffic from, for example, 192.168.2.0/24 wont
> get natted to  81.179.30.111  as expected. I can see this with tcpdump
> - traffic from the directly connected router gets natted, other
> traffic is seen (so its not a routing issue) its just not being
> natted.

Perhaps do some logging (-j LOG) or check the counters on the various
chains.

# iptables -t nat -L -v -n

[...]

> Is there any thing I am missing with this configuration? Is there some
> limitation with doing NAT that only allows directly connected subnets
> to be natted?

I am not an expert, but SNAT applies on the way out (as you know), so
the box shouldn't care what the ip ranges are. All traffic (local and
forwarded) should be "equal" in the POSTROUTING chain.

-- 
Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85  C5CA 53E7 887F 84E2 2DA2

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: NAT for multiple non-directly connected subnets

[Bradley Kite]

On 08/11/2007, Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
>
> On Thu, 2007-11-08 at 21:53 +0000, Bradley Kite wrote:
> > Hi all,
> >
> > I've been using NAT for my home network (a single /24 RFC1918 address
> > range) and it has been working well, however I've recently tried
> > NATing a more complex environment environment as follows:
> >
> >  Linux Machine:
> > Internal Interface: 192.168.1.50/30 -> 192.168.1.49/30
>
> What does the previous line mean? Better explanation please.

Linux machine has eth1, 192.168.1.50/30, connected to a router
(192.168.1.49/30). Behind this router are many other networks/subnets.
I'm trying to get the linux box to NAT all of them, not just addresses
within this tiny /30 subnet (as is the case now).

> > External Interface: 81.179.30.111/24
>
> I assume that this is eth0.

Indeed this is eth0

> > Now, connected off the internal interface is a whole network
> > consisting of several subnets all linked off each other - ie they are
> > not directly connected to the linux machine.
> >
> > The problem I have is that the NAT on the linux box is only actually
> > nating traffic that comes directly from  192.168.1.49 - the first
> > upstream router. Any traffic from, for example, 192.168.2.0/24 wont
> > get natted to  81.179.30.111  as expected. I can see this with tcpdump
> > - traffic from the directly connected router gets natted, other
> > traffic is seen (so its not a routing issue) its just not being
> > natted.
>
> Perhaps do some logging (-j LOG) or check the counters on the various
> chains.
>
> # iptables -t nat -L -v -n

Hmm. The pre-routing couters are increasing, but that is all. When I
ping from the router then the post-routing counters increase (because
its directly connected).

>
> I am not an expert, but SNAT applies on the way out (as you know), so
> the box shouldn't care what the ip ranges are. All traffic (local and
> forwarded) should be "equal" in the POSTROUTING chain.

This was my assumption too but I must be missing something.

Thanks for your quick response.

--
Brad.

Re: NAT for multiple non-directly connected subnets

[Grant Taylor]

On 11/08/07 16:17, Bradley Kite wrote:
> Linux machine has eth1, 192.168.1.50/30, connected to a router
> (192.168.1.49/30). Behind this router are many other networks/subnets.
> I'm trying to get the linux box to NAT all of them, not just addresses
> within this tiny /30 subnet (as is the case now).

This should not be a problem.  Unless .... (See below.)

> Hmm. The pre-routing couters are increasing, but that is all. When I
> ping from the router then the post-routing counters increase (because
> its directly connected).

Ok...

> This was my assumption too but I must be missing something.

Could this by chance be a reverse path filtering issue?  Is it possible 
that the firewall is not allowing the traffic from the non directly 
connected /30 to go through.

If you look at the counters in the filter:FORWARD chain do you see the 
traffic passing or is it even making it that far?



Grant. . . .

Re: NAT for multiple non-directly connected subnets

[Matt Zagrabelny]

[-- Attachment #1: Type: text/plain, Size: 993 bytes --]


On Thu, 2007-11-08 at 22:17 +0000, Bradley Kite wrote:
> On 08/11/2007, Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:

[...]

> > Perhaps do some logging (-j LOG) or check the counters on the various
> > chains.
> >
> > # iptables -t nat -L -v -n
> 
> Hmm. The pre-routing couters are increasing, but that is all. When I
> ping from the router then the post-routing counters increase (because
> its directly connected).

Is your rp_filter getting in the way?

# cat /proc/sys/net/ipv4/conf/eth1/rp_filter

If this returns 1, then:

# echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter

Of course setting it in /etc/sysctl.conf for reboots.

-- 
Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85  C5CA 53E7 887F 84E2 2DA2

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: NAT for multiple non-directly connected subnets

[Bradley Kite]

On 08/11/2007, Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
>
> On Thu, 2007-11-08 at 22:17 +0000, Bradley Kite wrote:
> > On 08/11/2007, Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
>
> [...]
>
> > > Perhaps do some logging (-j LOG) or check the counters on the various
> > > chains.
> > >
> > > # iptables -t nat -L -v -n
> >
> > Hmm. The pre-routing couters are increasing, but that is all. When I
> > ping from the router then the post-routing counters increase (because
> > its directly connected).
>
> Is your rp_filter getting in the way?
>
> # cat /proc/sys/net/ipv4/conf/eth1/rp_filter
>
> If this returns 1, then:
>
> # echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
>
> Of course setting it in /etc/sysctl.conf for reboots.
>
> --

I tried this with the same results I'm afraid. If I cannot get this
working then I'll have to make the upstream router do NAT too so that
the entire network is seen from the address of the up-stream router -
as Linux is NATing that address without problems.

Or maybe I'll try a kernel upgrade to see if that makes any difference.

Many thanks for your help.

--
Brad.

Re: NAT for multiple non-directly connected subnets

[Grant Taylor]

On 11/08/07 16:34, Bradley Kite wrote:
> I tried this with the same results I'm afraid. If I cannot get this 
> working then I'll have to make the upstream router do NAT too so that 
> the entire network is seen from the address of the up-stream router - 
> as Linux is NATing that address without problems.

Something (else) is wrong here.

> Or maybe I'll try a kernel upgrade to see if that makes any 
> difference.

I doubt that will make any difference.

Can we see the output of iptables-save?



Grant. . . .

Re: NAT for multiple non-directly connected subnets

[Bradley Kite]

On 08/11/2007, Bradley Kite <bradley.kite@gmail.com> wrote:
> On 08/11/2007, Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
> >
> > On Thu, 2007-11-08 at 22:17 +0000, Bradley Kite wrote:
> > > On 08/11/2007, Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
> >
[snip]
>
> I tried this with the same results I'm afraid. If I cannot get this
> working then I'll have to make the upstream router do NAT too so that
> the entire network is seen from the address of the up-stream router -
> as Linux is NATing that address without problems.
>
> Or maybe I'll try a kernel upgrade to see if that makes any difference.

Hmm. I've tried also with the latest kernel (2.6.23) but I still have
the same problem.

Has any body else managed to get something like this working before?

Re: NAT for multiple non-directly connected subnets

[Bradley Kite]

On 09/11/2007, Bradley Kite <bradley.kite@gmail.com> wrote:
> On 08/11/2007, Bradley Kite <bradley.kite@gmail.com> wrote:
> > On 08/11/2007, Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
> > >
> > > On Thu, 2007-11-08 at 22:17 +0000, Bradley Kite wrote:
> > > > On 08/11/2007, Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
> > >
> [snip]
> >
> > I tried this with the same results I'm afraid. If I cannot get this
> > working then I'll have to make the upstream router do NAT too so that
> > the entire network is seen from the address of the up-stream router -
> > as Linux is NATing that address without problems.
> >
> > Or maybe I'll try a kernel upgrade to see if that makes any difference.
>
> Hmm. I've tried also with the latest kernel (2.6.23) but I still have
> the same problem.
>
> Has any body else managed to get something like this working before?
>

Just in case any body else has this problem, I have found the solution
so thought I would share:

I am actually running a virtual network within my linux machine for
testing/studying. This means that as packets leave the various routers
within my virtual network, they are seen by the IP-Tables because of
the bridges I have set up to connect the virtual routers.

the connection-tracking needs to be turned off on the bridges in order
to make this work:

iptables --table raw -A PREROUTING -i [BRIDGE] -j NOTRACK

this then allows the packet to correctly enter the POSTROUTING table
once it eventually gets to the NAT interface on the same linux device.

Hopefully somebody else will find this useful.
--
Brad.

Re: NAT for multiple non-directly connected subnets

[Grant Taylor]

On 11/09/07 09:42, Bradley Kite wrote:
> the connection-tracking needs to be turned off on the bridges in 
> order to make this work:

Oh, you are running bridging (NOTHING at all wrong with that) but it 
does change things a bit.  Had I known that you were running bridging I 
would have asked about the Bridged NetFilter configuration in your kernel.

Based on the fact that you are running bridging and the fact that you 
have to touch IPTables for bridged traffic tells me that you are using 
Bridged NetFilter code.  This makes it even more important to know what 
your IPTables configuration is to help solve your problem as it was.

Seeing as how you have worked around your problem, we no longer need to 
see the output of iptables-save.

I don't think you solved your real problem, rather worked around it. 
But hay, if that works for you and packets are moving like they need to, 
so be it and good for you.  ;)



Grant. . . .

Re: NAT for multiple non-directly connected subnets

[Pascal Hambourg]

Hello,

Bradley Kite a écrit :
> 
> the connection-tracking needs to be turned off on the bridges in order
> to make this work:
> 
> iptables --table raw -A PREROUTING -i [BRIDGE] -j NOTRACK

This may have undesirable side effects unless you add "-m physdev 
--physdev-is-bridged" to ensure that this rule matches only bridged 
traffic and not forwarded traffic received on the bridge interface.
If you just don't want Netfilter (including the conntrack and iptables) 
to see the bridged IP traffic, you can do this by setting the sysctl 
net.bridge.bridge-nf-call-iptables to 0.

echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables
or
sysctl -w net.bridge.bridge-nf-call-iptables=0

Add the following line in /etc/sysctl.conf to make it persistent across 
reboots :

net.bridge.bridge-nf-call-iptables=0

-- 

Re: NAT for multiple non-directly connected subnets

[Bradley Kite]

On 09/11/2007, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
>
> Bradley Kite a écrit :
> >
> > the connection-tracking needs to be turned off on the bridges in order
> > to make this work:
> >
> > iptables --table raw -A PREROUTING -i [BRIDGE] -j NOTRACK
>
> This may have undesirable side effects unless you add "-m physdev
> --physdev-is-bridged" to ensure that this rule matches only bridged
> traffic and not forwarded traffic received on the bridge interface.
> If you just don't want Netfilter (including the conntrack and iptables)
> to see the bridged IP traffic, you can do this by setting the sysctl
> net.bridge.bridge-nf-call-iptables to 0.
>
> echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables
> or
> sysctl -w net.bridge.bridge-nf-call-iptables=0
>
> Add the following line in /etc/sysctl.conf to make it persistent across
> reboots :
>
> net.bridge.bridge-nf-call-iptables=0

Ahh, great thats a much better way of doing it because I dont have to
keep track of all my bridges and apply config to them seperatley.

Many thanks for your help.

--
Brad.