NAT - HELP

NAT - HELP

[Slava (hotbox)]

NETFILTER --> NAT --> HOWTO


I very badly speak English!


We use VPN-connections (PPTP) through firewall. It uses two connections: 1723/tcp and 47/ip(GRE). 

When I  give a range of IP addresses to SNAT, two PPTP connections (1723/tcp & GRE) leave
from Firewall (SNAT) with different IP-addresses.
And VPN-connection does not work!


Help, if can, please.

Viacheslav.

 

Re: NAT - HELP

[John A. Sullivan III]

On Wed, 2004-05-05 at 08:44, Slava (hotbox) wrote:
> 
> NETFILTER --> NAT --> HOWTO
> 
> 
> I very badly speak English!
> 
> 
> We use VPN-connections (PPTP) through firewall. It uses two connections: 1723/tcp and 47/ip(GRE). 
> 
> When I  give a range of IP addresses to SNAT, two PPTP connections (1723/tcp & GRE) leave
> from Firewall (SNAT) with different IP-addresses.
> And VPN-connection does not work!
> 
> 
> Help, if can, please.
> 
> Viacheslav.
> 
>  
I do not use PPTP so I am having trouble understanding your problem.  Is
the problem that you do not want 1723.tcp and 47/ip to SNAT at all or
that they are doing SNAT to the wrong address?

If you do not want the PPTP connection to SNAT at all, place an ACCEPT
rule in front of the SNAT rule, e.g., 

iptables -t nat -I POSTROUTING 1 -o eth0 -s x.x.x.x -p 6 --sport 1723 -j
ACCEPT
iptables -t nat -I POSTROUTING 1 -o eth0 -s x.x.x.x -p 47 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source y.y.y.y

If it is NATting the wrong public address, make sure the PPTP rules are processed first.
Hope this helps - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

Re: NAT - HELP

[Alistair Tonner]

On May 6, 2004 08:34 am, John A. Sullivan III wrote:
> On Wed, 2004-05-05 at 08:44, Slava (hotbox) wrote:
> > NETFILTER --> NAT --> HOWTO
> >
> >
> > I very badly speak English!
> >
> >
> > We use VPN-connections (PPTP) through firewall. It uses two connections:
> > 1723/tcp and 47/ip(GRE).
> >
> > When I  give a range of IP addresses to SNAT, two PPTP connections
> > (1723/tcp & GRE) leave from Firewall (SNAT) with different IP-addresses.
> > And VPN-connection does not work!
> >
> >
> > Help, if can, please.
> >
> > Viacheslav.
>
> I do not use PPTP so I am having trouble understanding your problem.  Is
> the problem that you do not want 1723.tcp and 47/ip to SNAT at all or
> that they are doing SNAT to the wrong address?
>
> If you do not want the PPTP connection to SNAT at all, place an ACCEPT
> rule in front of the SNAT rule, e.g.,
>
> iptables -t nat -I POSTROUTING 1 -o eth0 -s x.x.x.x -p 6 --sport 1723 -j
> ACCEPT
> iptables -t nat -I POSTROUTING 1 -o eth0 -s x.x.x.x -p 47 -j ACCEPT
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source y.y.y.y
>
> If it is NATting the wrong public address, make sure the PPTP rules are
> processed first. Hope this helps - John


	I think the problem here is that he is using SNAT against a RANGE of 
addresses..  By nature the first packet gets SNATted against address b of 
[a-t] and the second packet gets SNATted against c of [a-t] -- 

	He has a range of outside addresses he may use to SNAT against, and is trying 
to loadbalance the requests (at a guess) and this is confusing the VPN as the 
request on 1723 shows up on one IP and the actual VPN request (proto 47) 
comes up on a different address.  

	Best solution would be to choose only *one* ip to SNAT vpn requests against, 
*or* if you actually can plot a one-to-one relationship of NATs (outside ip a 
-> inside ip q) to add  a *source* to the SNAT rules and setup one to one 
rules for the VPN tunnel ... tedious but doable.

	Unless someone else can suggest a method of locking the NAT requests to the
	same IP?


	Alistair.