FORWARD-ed packet doens't reach POSTROUTING

FORWARD-ed packet doens't reach POSTROUTING

[Fred Gansevles]

Hello,

First: I'm not subscribed to this list so please make sure that any reply is 
also sent to: fred@gansevles.defamilie.nl

I have a weird problem trying to setup multiple routes on my NAT-box

I have the following setup:

 <local network>  <NAT-box>
 [192.168.0.0/24]  eth0: 192.168.0.1
     eth1: <adsl.static.ip>
     tunl1: <tunnel to remote NAT-box via eth1>

The remote NAT-box can reach a special subnet which I want to connect to.
The special subnet is also reachable thru eth1, but I want the packages that 
reach the special subnet to be NAT-ted by the remote NAT-box

On my NAT-box I add the following route:

 ip route add <special.sub.net> dev tunl1

the relevant iptables rules are:
 iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 \
  -j SNAT --to-source <adsl.static.ip>
 iptables -t nat -A POSTROUTING -o tunl1 \
  -j SNAT --to-source <adsl.static.ip>

All messages originating from my NAT-box for the special subnet are routed 
through tunl1 and SNAT-ted by the second iptables rule

All messages originating from my local subnet for the special subnet are 
routed through tunl1 and *NOT* SNAT-ted by the second iptables rule (the 
packages never reach the POSTROUTING chain)

If I remove the special subnet route with:

 ip route del <special.sub.net> dev tunl1

then all messages originating from my local subnet for the special subnet are 
routed through eth1 and SNAT-ted by the first iptables rule

All messages originating from my NAT-box for the special subnet are directely 
routed through eth1 and *NOT* SNAT-ted (no matching rule for 
SRC=<adsl.static.ip>)

Summarizing: When I want to reach the special subnet using the remote NAT-box 
I can only do this *ON* the NAT-box and all machines in my local subnet cat 
*NOT REACH THE special subnet AT ALL*



Can anybody shed some light on this problem?
Please send relies to: fred@gansevles.defamilie.nl

Re: FORWARD-ed packet doens't reach POSTROUTING

[Aleksandar Milivojevic]

Fred Gansevles wrote:
> Hello,
> 
> First: I'm not subscribed to this list so please make sure that any reply is 
> also sent to: fred@gansevles.defamilie.nl

This is very unpolite (to say it mildly).  I could bet you haven't 
checked the archives either?  Please, subscribe.

Just to not be labeled as (total) old grunge.  I'd check rules in 
FORWARD chain.  Packets are dropped somewhere, and by what you 
described, FORWARD chain is the most likely culprit.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

RE: FORWARD-ed packet doens't reach POSTROUTING

[Jason Opperisano]

> Hello,
>
> First: I'm not subscribed to this list so please make sure that any reply is
> also sent to: fred@gansevles.defamilie.nl
>
> I have a weird problem trying to setup multiple routes on my NAT-box
>
> I have the following setup:
>
>  <local network>  <NAT-box>
>  [192.168.0.0/24]  eth0: 192.168.0.1
>      eth1: <adsl.static.ip>
>      tunl1: <tunnel to remote NAT-box via eth1>
>
> The remote NAT-box can reach a special subnet which I want to connect to.
> The special subnet is also reachable thru eth1, but I want the packages that
> reach the special subnet to be NAT-ted by the remote NAT-box
>
> On my NAT-box I add the following route:
>
>  ip route add <special.sub.net> dev tunl1
>
> the relevant iptables rules are:
>  iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 \
>   -j SNAT --to-source <adsl.static.ip>
>  iptables -t nat -A POSTROUTING -o tunl1 \
>   -j SNAT --to-source <adsl.static.ip>

also of relevance would be your actual FORWARD rules.  as in--provide the output of "iptables -vnL FORWARD"

> All messages originating from my NAT-box for the special subnet are routed
> through tunl1 and SNAT-ted by the second iptables rule
>
> All messages originating from my local subnet for the special subnet are
> routed through tunl1 and *NOT* SNAT-ted by the second iptables rule (the
> packages never reach the POSTROUTING chain)
>
> If I remove the special subnet route with:
>
>  ip route del <special.sub.net> dev tunl1
>
> then all messages originating from my local subnet for the special subnet are
> routed through eth1 and SNAT-ted by the first iptables rule

something tells me that your FORWARD rules are specifying some combination of "-s 192.168.0.0/24" and "-o eth1"

if the packets are getting dropped in the FORWARD chain of the filter table; then no, they will never make it to the POSTROUTING chain of the nat table.

> All messages originating from my NAT-box for the special subnet are directely
> routed through eth1 and *NOT* SNAT-ted (no matching rule for
> SRC=<adsl.static.ip>)
>
> Summarizing: When I want to reach the special subnet using the remote NAT-box
> I can only do this *ON* the NAT-box and all machines in my local subnet cat
> *NOT REACH THE special subnet AT ALL*

the filter rules controlling packets from the NAT box itself are the OUTPUT rules; while the filter rules controlling the packets from your local subnet are FORWARD rules...something tells me there's a key difference between those sets of rules.  without posting your rules; it is very difficult to tell you what is wrong.  if you feel so inclined; provide the output of:  iptables -vnL && iptables -t nat -vnL && iptables -t mangle -vnL

-j