From: "Martin A. Brown" <mabrown-lartc@securepipe.com>
To: lartc@vger.kernel.org
Subject: [LARTC] NAT: multiple route lookups; local use of NAT IP
Date: Sun, 02 Mar 2003 17:56:58 +0000 [thread overview]
Message-ID: <marc-lartc-104662805329578@msgid-missing> (raw)
Hello all,
Part I
- - - - - -
I am using a stateless (iproute2) NAT installation here as a concrete
example around which to ask my question about cases where route lookups
are required.
I do not understand the entire sequence of route lookups required.
Intuition and observation suggest to me that there have to be two separate
route lookups. I would like confirmation and/or further explanation, if
possible.
Here's a simple map describing my working configuration.
+---------+
10.17.0.0/16 | NAT | 172.17.0.0/16
-----------------+ router +--------------------
eth2 +---------+ eth3
Here's my current understanding:
1 packet arrives from 192.168.14.2 on eth2 bound for 10.17.254.1
2 route exists in local routing table; rewrite packet for 172.17.254.1
3 ??
4 rewritten packet is transmitted on eth3 to 172.31.254.1
It seems that there must be a route lookup for 172.17.254.1 at step 3.
How does the kernel know to perform a second lookup?
Under what other situations would there be multiple route lookups for the
same packet?
Part II
- - - - - -
Of less importance to me, but a peculiar side effect of the stateless NAT,
I find that I can never connect to IPs configured for NAT on the box in
question.
These commands were run on the NAT router in the above diagram.
# ping -n 10.17.254.1
connect: Invalid argument
# ping -I 192.168.0.13 -n 10.17.254.1
PING 10.17.254.1 (10.17.254.1) from 192.168.0.13 : 56(84) bytes of data.
ping: sendto: Invalid argument
ping: sendto: Invalid argument
--- 10.17.254.1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
Is this a side effect of the NAT entry in the local routing table?
Thank you in advance for any answers,
-Martin
Notes:
- - - - - - - - - - - - -
- there are more interface on the box, but no traffic relevant to my
question traverses any of these interfaces
- aside from the NAT entry, there are no RPDB entries
- # ip rule show | grep 10.17
310: from 172.17.0.0/16 to 10.10.0.0/16 lookup main map-to 10.17.0.0
- # ip route show table local | grep '^nat 10.17'
nat 10.17.0.0/16 via 172.17.0.0 scope host
routing cache entries
- - - - - - - - - - - - -
192.168.14.2 from 172.17.254.1 via 192.168.0.251 dev eth2 src 172.31.254.254
cache <src-nat> mtu 1500 rtt 300 iif eth3
10.17.254.1 from 192.168.14.2 via 172.31.254.1 dev eth3 src 192.168.0.13
cache <dst-nat> mtu 1500 rtt 300 iif eth2
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next reply other threads:[~2003-03-02 17:56 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-02 17:56 Martin A. Brown [this message]
2003-03-03 13:32 ` [LARTC] NAT: multiple route lookups; local use of NAT IP Julian Anastasov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-104662805329578@msgid-missing \
--to=mabrown-lartc@securepipe.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.