simple nat dilemma

simple nat dilemma

[patrick conlin]

Hello everyone,

Let me preface this by saying that I am seriously disappointed by my failure
to figure out what I'm doing wrong here, and any admonitions I receive from
ramin for being an idiot will be appreciated. I've been using ipchains for a
over a year for simple packet filtering and am now setting up a simple nat
gateway with iptables, but can't get it to work.

I'm trying to get the nat machine (bulgakov) to make zamyatin look and feel
like 207.224.76.204 for all external activity, inbound and outbound.
Eventually I'll be trying to make olesha look and feel like 207.224.76.202,
but one step at a time.

It's the classic setup:

bulgakov
eth0: 207.224.76.201
eth1: 10.1.1.1

zamyatin
eth0: 10.1.1.107

I've got a 1 in /proc/sys/net/ipv4/ip_forward

As an aside, when I set up

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Everything works great, for what it's worth (obviously not useful for
inbound connections). I am able to connect to the outside world and do
whatever I want (ping, traceroute, ftp, www, whatever) and It looks like the
connection is coming from 207.224.76.201. Of course, that's not what I'm
trying to do so I flush the chain, follow trusty rusty, and add the
following:

# iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.107 -j SNAT --to-source
207.224.76.204

No dice. I think the packets must be getting nat'd on the way out, but the
return packects aren't getting sent to the right place, so I add:

# iptables -t nat -A PREROUTING -d 207.224.76.204 -j DNAT --to-destination
10.1.1.107

Still nothing. I think maybe I need some explicit action on my FORWARD
chain, so I add:

# iptables -t filter -A FORWARD -s 10.1.1.107 -j ACCEPT

And

# iptables -t filter -A FORWARD -d 207.224.76.204 -j ACCEPT

Alas, still no love. So, a plea for help to those more fluent. I know I must
be missing something obvious.

Thanks!

patrick

Re: simple nat dilemma

[Antony Stone]

On Thursday 09 May 2002 6:33 pm, patrick conlin wrote:

> Hello everyone,
>
> Let me preface this by saying that I am seriously disappointed by my
> failure to figure out what I'm doing wrong here, and any admonitions I
> receive from ramin for being an idiot will be appreciated.

Will you appreciate it as much if I call you an idiot first :-) ?

> I'm trying to get the nat machine (bulgakov) to make zamyatin look and feel
> like 207.224.76.204 for all external activity, inbound and outbound.

Have you applied the network address 207.224.76.204 to the external interface 
of the firewall, so that it receives packets for that address ?

You either want to do:

ifconfig eth0:1 217.224.76.204 netmask w.x.y.z

or use the ip command from the iproute2 package if you have this on your 
system (can't quote you the syntax as I don't use it myself).

By the way, if this solves your problem, I don't think you were an idiot.

If you've already done this, and the problem turns out to be something else, 
then I'll wait before deciding :-)

 

Antony.