nat not working as expected

All of lore.kernel.org
 help / color / mirror / Atom feed

* nat not working as expected
@ 2012-08-13 17:50 Stephen Clark
  2012-08-13 17:57 ` Stephen Clark
  0 siblings, 1 reply; 2+ messages in thread
From: Stephen Clark @ 2012-08-13 17:50 UTC (permalink / raw)
  To: Netfilter Developer Mailing List

Hello,

I have a problem I am trying to solve and nat doesn't seem to be 
working. I have a set of ip addresses I don't
want to go thru my transparent proxy so I have the following:

  Chain PREROUTING (policy ACCEPT 1413 packets, 206K bytes)
  pkts bytes target     prot opt in     out     source               
destination
     0     0 ACCEPT     tcp  --  eth0   *       10.254.150.0/24      
10.0.0.0/8          tcp dpt:80
...
     0     0 ACCEPT     tcp  --  eth0   *       10.254.150.0/24      
8.15.7.123          tcp dpt:80
     2   120 ACCEPT     tcp  --  eth0   *       10.254.150.0/24      
216.16.243.121      tcp dpt:80
     0     0 ACCEPT     tcp  --  eth0   *       10.254.150.0/24      
216.16.242.222      tcp dpt:80
  ...
     0     0 ACCEPT     tcp  --  eth0   *       10.254.150.0/24      
216.171.106.210     tcp dpt:80
     0     0 DNAT       tcp  --  eth0   *       10.254.150.0/24      
0.0.0.0/0           tcp dpt:80 to:10.254.150.1:8080

Chain POSTROUTING (policy ACCEPT 922 packets, 81534 bytes)
  pkts bytes target     prot opt in     out     source               
destination
     0     0 ACCEPT     all  --  *      eth1    10.254.150.0/24      
10.0.0.0/8
     0     0 ACCEPT     all  --  *      eth1    10.254.150.0/24      
172.16.0.0/12
     0     0 ACCEPT     all  --  *      eth1    10.254.150.0/24      
192.168.0.0/16
     0     0 SNAT       all  --  *      eth1    10.254.150.0/24      
0.0.0.0/0           to:xxx.xxx.149.209

My packet hits the pre-routing chain and is accepted but then seems to 
get lost, it doesn't get
natted and go out my external interface.

tcpdump on internal interface:
13:33:03.157163 IP 10.254.150.91.53169 > 216.16.243.121.http: Flags [S], 
seq 1127713574, win 5840, options [mss 1460,sackOK,TS val 2344806144 ecr 
0,nop,wscale 6], length 0

nothing shows on external interface:

The routing looks correct.
$ ip r g 216.16.243.121
216.16.243.121 via xxx.xxx.149.1 dev eth1  src xxx.xxx.149.209


What am I missing?

Thanks for your indulgence,
Steve




^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: nat not working as expected
  2012-08-13 17:50 nat not working as expected Stephen Clark
@ 2012-08-13 17:57 ` Stephen Clark
  0 siblings, 0 replies; 2+ messages in thread
From: Stephen Clark @ 2012-08-13 17:57 UTC (permalink / raw)
  To: sclark46; +Cc: Netfilter Developer Mailing List

Sorry for the noise - I had some routes set in an alternative routeing 
table that was
routing out a gre over a vpn.


On 08/13/2012 01:50 PM, Stephen Clark wrote:
> Hello,
>
> I have a problem I am trying to solve and nat doesn't seem to be 
> working. I have a set of ip addresses I don't
> want to go thru my transparent proxy so I have the following:
>
>  Chain PREROUTING (policy ACCEPT 1413 packets, 206K bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>     0     0 ACCEPT     tcp  --  eth0   *       10.254.150.0/24      
> 10.0.0.0/8          tcp dpt:80
> ...
>     0     0 ACCEPT     tcp  --  eth0   *       10.254.150.0/24      
> 8.15.7.123          tcp dpt:80
>     2   120 ACCEPT     tcp  --  eth0   *       10.254.150.0/24      
> 216.16.243.121      tcp dpt:80
>     0     0 ACCEPT     tcp  --  eth0   *       10.254.150.0/24      
> 216.16.242.222      tcp dpt:80
>  ...
>     0     0 ACCEPT     tcp  --  eth0   *       10.254.150.0/24      
> 216.171.106.210     tcp dpt:80
>     0     0 DNAT       tcp  --  eth0   *       10.254.150.0/24      
> 0.0.0.0/0           tcp dpt:80 to:10.254.150.1:8080
>
> Chain POSTROUTING (policy ACCEPT 922 packets, 81534 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>     0     0 ACCEPT     all  --  *      eth1    10.254.150.0/24      
> 10.0.0.0/8
>     0     0 ACCEPT     all  --  *      eth1    10.254.150.0/24      
> 172.16.0.0/12
>     0     0 ACCEPT     all  --  *      eth1    10.254.150.0/24      
> 192.168.0.0/16
>     0     0 SNAT       all  --  *      eth1    10.254.150.0/24      
> 0.0.0.0/0           to:xxx.xxx.149.209
>
> My packet hits the pre-routing chain and is accepted but then seems to 
> get lost, it doesn't get
> natted and go out my external interface.
>
> tcpdump on internal interface:
> 13:33:03.157163 IP 10.254.150.91.53169 > 216.16.243.121.http: Flags 
> [S], seq 1127713574, win 5840, options [mss 1460,sackOK,TS val 
> 2344806144 ecr 0,nop,wscale 6], length 0
>
> nothing shows on external interface:
>
> The routing looks correct.
> $ ip r g 216.16.243.121
> 216.16.243.121 via xxx.xxx.149.1 dev eth1  src xxx.xxx.149.209
>
>
> What am I missing?
>
> Thanks for your indulgence,
> Steve
>
>
>
> -- 
> To unsubscribe from this list: send the line "unsubscribe 
> netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


-- 

"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty
decreases."  (Thomas Jefferson)




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2012-08-13 18:07 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-13 17:50 nat not working as expected Stephen Clark
2012-08-13 17:57 ` Stephen Clark

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.