* multiple SNAT overlaps doesn't work?
@ 2005-09-01 19:40 psihozefir
0 siblings, 0 replies; only message in thread
From: psihozefir @ 2005-09-01 19:40 UTC (permalink / raw)
To: netfilter
Hello! I have this configuration:
a) A small server with this configuration: on eth1 - local network:
192.168.1.0/24
on eth0 10.100.122.90 to my ISP for tunneling inside his network to my
big server.
a gre tunnel 10.10.10.8 <-> 10.10.10.7 to my big server.
I forward the network to my big server with unchanged addresses.
b) A big server with 3 NICs:
eth0 = $publicIP1 AND all 64 addresses form a $publicNET1 as aliases to eth0
eth1 = 192.168.101.1 connected to 192.168.101.0/24 AND 10.0.0.1
connected to 10.0.0.0/24 AND $publicIP2 as gateway for $publicNET2
tun1 = 10.10.10.7 <-> 10.10.10.8 tunnel to my small server
i have this:
publicNET1=1.2.3.0/26
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.0/24 -j SNAT
--to 1.2.3.1-1.2.3.32 # load balancing
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j SNAT --to
1.2.3.33-1.2.3.62 # load balancing
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0 -j SNAT --to
1.2.3.1-1.2.3.62 # load balancing
iptables -A FORWARD -s $publicNET2 -j ACCEPT
iptables -A FORWARD -d $publicNET2 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.101.0/24 -j ACCEPT
iptables -A FORWARD -o eth1 -d 192.168.101.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -o eth1 -d 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i tun1 -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -o tun1 -d 192.168.1.0/24 -j ACCEPT
iptables -P FORWARD ACCEPT
dns=ISP`s dns
The ISP is providing a route from its internal 10.100.122.0 network to
my $publicIP1 for tunneling.
Problem:
I can communicate with the Internet from the locally connected
networks (192.168.101.0 and 10.0.0.0) but I have no access to the
Internet for the tunneled network.
From the small server I can ping any machine on 192.168.101.0 or on 10.0.0.0.
From the big server I can ping any machine on the tunneled network.
From the small server I can ping ISP`s dns server.
routes on small server:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.10.7 * 255.255.255.255 UH 0 0 0 tun1
ns.isp 10.100.122.65 255.255.255.255 UGH 0 0 0 eth0
$publicIP1.i 10.100.122.65 255.255.255.255 UGH 0 0 0 eth0
10.100.122.64 * 255.255.255.224 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
loopback * 255.0.0.0 U 0 0 0 lo
default 10.10.10.7 0.0.0.0 UG 0 0 0 tun1
routes on big server:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
253.157.196.81. * 255.255.255.255 UH 0 0 0 eth1
253.157.196.81. * 255.255.255.255 UH 0 0 0 eth1
10.10.10.8 * 255.255.255.255 UH 0 0 0 tun1
$publicIP1 * 255.255.255.248 U 0 0 0 eth0
$publicNET2 * 255.255.255.248 U 0 0 0 eth1
$publicNET1 * 255.255.255.192 U 0 0 0 eth0
1.2.3.0 * 255.255.255.192 U 0 0 0 eth0
192.168.101.0 * 255.255.255.0 U 0 0 0 eth1
10.0.0.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 10.10.10.8 255.255.255.0 UG 0 0 0 tun1
loopback * 255.0.0.0 U 0 0 0 lo
default $my_gw 0.0.0.0 UG 1 0 0 eth0
* Note that SNAT has overlapping addresses. I think that could be the
problem. Has anyone experienced some similar situations? Thank you for
your time, patience and help.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2005-09-01 19:40 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-01 19:40 multiple SNAT overlaps doesn't work? psihozefir
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.