Re: SNAT does not work

[Uwe Eisner <Uwe.Eisner@globit.com>]

[-- Attachment #1: Type: text/plain, Size: 2613 bytes --]



Antony Stone schrieb:

>On Thursday 06 June 2002 2:27 pm, Uwe Eisner wrote:
>
>Hi.
>
>Having read your email again, I realise that I do not understand what problem 
>you're having...
>
>  
>
>>I'm using a internal ip-range, wherefor I need NAT to connecting to the
>>internet..
>>    
>>
>
>Okay, yes - I understand that.
>
>  
>
>>My problem is, that this rule does not work. When I start a Perl-code at
>>the www, witch shows me my ip-address, it showes me the IP-address of
>>the external interface of the router/firewall.
>>    
>>
>
>Surely that means that your address translation *is* working ?
>
But why is the external ip-address from the firewall showen at the www? 
I specifyed the IP-address 141.12.218.99 not 141.12.129.9 (ext. 
Router-IP-Address)

>
>1. If it were not, the remote web server would not be able to establish a 
>connection.
>
>2. The external address of the firewall is the address you would expect to be 
>coming from when yu use the SNAT rule.
>
>3. If you are running a Perl script, I assume that means that a TCP 3-way 
>handshake has been completed, which means the web server has successfully 
>been able to send packets back to your client.
>
>  
>
>>I can not find the problem.
>>    
>>
>
>What *is* the problem ?
>
>  
>
>>If I set no POSTROUTING rule, it is the same game...
>>    
>>
>
>I do not understand what you mean by this.   Surely you do not mean that if 
>you remove the POSTROUTING rule, you can still connect to a remote web server 
>and have a Perl script tell you your source address ???
>
Yes, that is it! I removed every POSTROUTING rule, but I could still 
connect to the web.

>
>Maybe you can explain a little more for me ?
>
Of cause. :-)
First I configured the Firewall, with a MASQUERADE rule, which shows the 
www the external ip-address of the router/firewall.
I removed the statement from the configuration script and add the new role:
    iptables -A POSTROUTING -t nat -s 192.168.0.0/16 -j SNAT --to-source 
141.12.218.1
Afterwards I typed the flash command 'iptables -F'. Now ALL rules should 
be removed, souldn't it?
I started my configuration script with the new rule (see above), but 
nothing has changed.

First I tought, that iptables -F does not delete the POSTROUTING rules, 
so I did it by hand:
iptables -D POSROUTING -t nat -s 192.168.0.0/16 -j MASQUERADE.

The same procedure, as discribed above and nothing has changed.

My plan is, that our network showes to the www just 1 ip-address, namely 
141.12.218.99 and not the router-ip-address 141.12.129.9

Hope that is more information for you.

Thx
Uwe Eisner


>
>
>Antony.
>  
>


[-- Attachment #2: Type: text/html, Size: 3694 bytes --]