Re: a question of NAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tuesday 07 January 2003 03:38 am, 廖琪 wrote:
> I have a question when i use the NAT.
>
> I have two LAN A and B , A is 202.115.60.0/24 and B is 202.115.70.0/24
> . LAN A have a server C which ip is 202.115.60.2, and  LAN B have a
> server D which ip is 202.115.70.3 , normal, the server C provide the
> service, when the server D shutdown, I want use server B provide the
> service intead of the server C.

I'm not sure where 'server B' came from here...  And I'm not sure if I 
follow what you are really trying to do, maybe because 'server B' 
confuses things.  However:

>  I think the NAT maybe solve the question . So, I use the DNAT and
> SNAT:
>
> at the netgate of LAN A,do this:
> #iptables -t nat -A PREROUTING -s ! 202.115.70.0/24 -d 202.115.60.2
> -j DNAT --to 202.115.70.3 
> #iptables -A FORWARD -d 202.115.70.0/24 -j ACCEPT
>
> at the netgate of LAN B , do this:
> #iptables -t nat -A POSTROUTING -s 202.115.70.3 -d ! 202.115.60.0/24
> -j SNAT --to 202.115.60.2
>
> but when I check the ip package use tcpdump , I find the SNAT did not
> work, the source address of the package from the server D is
> 202.115.70.3 , not 202.115.60.2.
>
> then I do a test. when i send a ping package from the server D, the
> source address of the ping
>
> package change the 202.115.60.2, here the SNAT work well.

OK.  The SNAT works when the packet originates from server D, but DOESN'T 
work when the packet comes from D as a reply.  I would suspect a DNAT 
getting reversed, except you say that tcpdump finds the original IP 
intact.  (Where are you checking it?)  It seems that the only reason the 
packet would not match your SNAT rule then is if the destIP doesn't 
match. (or if an earlier POSTROUTING rule is catching it for some 
reason)  You are checking if the destIP is NOT on LAN A, but the only 
way packets get DNATted there initially is if they are NOT from LAN B.  
If this is all internal, and just these two LANs, then this combination 
doesn't make sense.  I'm not sure what your purpose is in this 
crossover, so I'm having trouble visualizing what you want the packets 
to do, but if you are sending them to the server on LAN B from clients 
on LAN A, then you can't use "not LAN A" for return traffic and expect 
it to match.

> =============================================================
> 元旦、情人节不再做孤独人!你还不快来约会?	http://dating.163.com/
> 网易俱乐部为你建造一个超级的私人社区!		http://our.163.com
> 新年有礼!
> VIP邮箱也可以免费用!		http://vip.163.com/payment/MobilePayment.shtml

Just as an aside,  I found this message in my SPAM folder instead of my 
netfilter folder, because ANY email containing 163.com is automatically 
dumped.  (and yours matches six times)  163.com is one of about 80 
domain names that are regularly blocked completely by a number of 
anti-spam products and services.  You also match spam filters based on 
being in an IP block notable for out-of-control spamming.  You probably 
already know this, and probably got automatic bounces like "The mail 
server you are sending from is listed on an international Blacklist" 
from several recipients.

Googling "spam 163.com" returns about 2000 hits, while "spam vip.163.com" 
returns about 200.  

I REALLY hope and pray that you (or the servers in question here) are not 
involved in spamming, and that I haven't just perhaps actually helped a 
spammer.  Being the recipient of around 300 spams per month, (and an 
anti-spam activist) that would really nauseate me.  If this is NOT the 
case, I hope you understand and forgive, and consider getting a 
different email address.  (If it IS the case, I won't offend people with 
what I hope... >;^)  I thought about not replying, but decided that 
wasn't fair to you, as I have no reason to believe you have anything to 
do with spamming.

j





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux