Hi, Apologies in advance for the lengthy post, but I wanted to provide enough detail. I seem to have a strange SNAT problem. I've checked all the obvious things, and everything looks correct. I have an IBM XSeries box, running kernel 2.4.17, in a firewall configuration with 2 nic's, one is an onboard nic with an intel chipset, (eepro100), the other is a recent PCI intel eepro100 card. The hostname is os-fw. Current dmesg output showing detected adapters : eepro100.c:v1.09j-t 9/29/99 Donald Becker http://cesdis.gsfc.nasa.gov/linux/drivers/eepro100.html eepro100.c: $Revision: 1.36 $ 2000/11/17 Modified by Andrey V. Savochkin <saw@saw.sw.com.sg> and others eth0: Intel Corp. 82557 [Ethernet Pro 100], 00:02:55:AA:2B:F7, IRQ 27. Board assembly ffffff-255, Physical connectors present: RJ45 Primary interface chip i82555 PHY #1. Secondary interface chip i82555. General self-test: passed. Serial sub-system self-test: passed. Internal registers self-test: passed. ROM checksum self-test: passed (0x3258698e). PCI: Enabling device 00:09.0 (0000 -> 0003) eth1: Intel Corp. 82557 [Ethernet Pro 100] (#2), 00:D0:B7:0E:9C:72, IRQ 10. Board assembly 721383-008, Physical connectors present: RJ45 Primary interface chip i82555 PHY #1. General self-test: passed. Serial sub-system self-test: passed. Internal registers self-test: passed. ROM checksum self-test: passed (0x04f4518b). All I need is to nat traffic from the inside lan out to the internet. (eth0 lan = 10.10.0.0/16) (eth1 internet = 64.45.x.y) ipv4 forwarding is enabled - root @ os-fw 11:34pm />sysctl -a | grep "forward" net.ipv4.conf.ipsec0.mc_forwarding = 0 net.ipv4.conf.ipsec0.forwarding = 1 net.ipv4.conf.eth1.mc_forwarding = 0 net.ipv4.conf.eth1.forwarding = 1 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv4.conf.eth0.forwarding = 1 net.ipv4.conf.lo.mc_forwarding = 0 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.all.forwarding = 1 net.ipv4.ip_forward = 1 root @ os-fw 11:35pm />sysctl -a | grep "rp_filter" net.ipv4.conf.ipsec0.arp_filter = 0 net.ipv4.conf.ipsec0.rp_filter = 1 net.ipv4.conf.eth1.arp_filter = 0 net.ipv4.conf.eth1.rp_filter = 1 net.ipv4.conf.eth0.arp_filter = 0 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.lo.rp_filter = 1 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.rp_filter = 0 Current NAT rules - root @ os-fw 11:32pm />ipt -L -v -n -t nat Chain PREROUTING (policy ACCEPT 879 packets, 51937 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 200 packets, 14000 bytes) pkts bytes target prot opt in out source destination 16 1106 SNAT all -- * eth1 10.10.0.0/16 0.0.0.0/0 to:65.45.x.y Chain OUTPUT (policy ACCEPT 176 packets, 11728 bytes) pkts bytes target prot opt in out source destination Current filter rules - root @ os-fw 11:34pm />ipt -L -v -n Chain INPUT (policy ACCEPT 42731 packets, 9405K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 264 packets, 19620 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 50654 packets, 4296K bytes) pkts bytes target prot opt in out source destination root @ os-fw 11:35pm /> My next hop is a Cisco 1600, with a T1 to the ISP, if that makes any difference. Simple, right ? I can make connections just fine out to the internet if I'm sitting on os-fw. ICMP ping, telnet, ssh, out to anywhere on the internet, works great. But when I try to make connections from boxes on the 10.10.0.0/16 side of os-fw, I don't get anything. I've already checked, these boxes are pointing at os-fw's ip address for their default gw. I've used tcpdump, and I can see the traffic actually going through os-fw. (traffic generated from a box inside os-fw, the 10.10.0.0/16 lan, appears on os-fw's eth1 interface) The weird thing is, the packets are nat'ed through os-fw, and then seem to die at the 1600 router. Even stranger, I have another 2.4.17 box that is setup almost exactly the same, except it's next hop is a cisco 1700, and it has slightly differnet nic's in it. This box works perfectly. I'm assuming either nic driver problems, ttl issues or something screwy going on in the 1600 . . . Any ideas ? tia, Chris Clifton chris@ms.black-oak.com - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
