> Ok. I'm getting there... I'm drawing on a piece of paper and combinging > your emails onto it.. but it still seems you have a SNAT problem.. > > 204.181.247.x/24 ----> 172.16.0.18:8001 ---> DNAT to 204.181.247.34:80 > > When you DNAT the above, the source still says 203.181.247.x/24 on it so > the DNAT machine which is 204.181.247.34:80 responds directly back to the > source and bypasses the NAT server which then the client (source) is > waiting on 172.16.0.18:8001 to respond but only gets a packets from > 204.181.247.34:80 so it drops it.. > > Also, if you can use it.. try using the NETMAP patch.. it'll say you a > hell of alot of rules ;) > > *looks at original email rule list* > > Looks like you have a split DMZ zone, some ports/ips go into 1 network, > some others go to the other network.. he he man this is confusing . ha ha > > I think you really need a SNAT rule like this.. > > iptables -A POSTROUTING -t nat -s 203.181.247.0/24 -d 172.16.0.18:8001 -j > SNAT --to <NATSERVERIP> so essentially i'd be sending the packet back out to the internet? there's no way to just keep it on the lan and in the forward chain? that's a real drag. I'm running RH 2.1 ES and i have downloaded their kernel source, did a make menuconfig (without changing one single thing) i exit out..save the new image. make dep works...but make modules ALWAYS bombs... so until i can get some time..of which i have none becuause of this, i doubt i can get that patch to work. Thanks again, Aaron P.S. if i misinterpreted your comments on the SNAT, please let me know. > > this way the 204.181.247.34:80 server will respons back via <NATSERVERIP> > which eventually renats to 203.181.247.x/24 > > Thanks, > ____________________________________________ > George Vieira > Systems Manager > georgev@xxxxxxxxxxxxxxxxxxxxxx > > Citadel Computer Systems Pty Ltd > http://www.citadelcomputer.com.au > > Phone : +61 2 9955 2644 > HelpDesk: +61 2 9955 2698 > > >> -----Original Message----- >> From: ml@xxxxxxxxxxxxxx [mailto:ml@xxxxxxxxxxxxxx] >> Sent: Friday, 31 October 2003 3:28 PM >> To: George Vieira >> Cc: ml@xxxxxxxxxxxxxx >> Subject: RE: PLEASE HELP with DNAT problem >> >> >> >> > AARGH!! ASCI ART.. ;P he he... I have 15 networks in my >> head and I need a >> > 1GB memory upgrade in my brain to fit more.. just 1 GB will do ;P >> > >> > I don't understand this part : >> >> I tried the ascii art, i really did..but UGHHHH.. >> >> let me try to explain it more clearly, and also, the "it hits another >> one" was just my interpretation...it surely could be wrong. >> >> as i say the traffic from the internet is getting DNATed perfectly, so >> i'll concentrate on what's NOT working. >> >> my "protected" lan has the 204.181.247.0/24 addresses this is >> eth1...my >> DMZ has (actual) 10.1.1.16/28 addresses and that is on >> eth0.....now__since >> i have 16 public addresses from my ISP, the 172.16.0.16/28 >> addresses from >> the original post...I have to get the traffic from the >> internet there and >> also the traffic from my lan there for servers. >> >> I have rules DNATing one to one the 172.16.0.16/28 address to the >> 10.1.1.16/28 addresses for incoming connections from serial0 and eth1. >> i.e. >> >> iptables -t nat -A PREROUTING -i serial0 -d 172.16.0.17 -j DNAT >> --to-destination 10.1.1.17 >> and >> iptables -t nat -A PREROUTING -i eth1 -d 172.16.0.17 -j DNAT >> --to-destination 10.1.1.17 >> >> both of which seems to work just fine. >> >> now....before i put these rules however, i put more >> "specific" rules with >> port assignments. >> >> i.e. >> iptables -t nat -A PREROUTING -i serial0 -d 172.16.0.17 -p tcp --dport >> 8021 -j DNAT --to-destination 204.181.247.80:80 >> and >> iptables -t nat -A PREROUTING -i eth1 -d 172.16.0.17 -p tcp >> --dport 8021 >> -j DNAT --to-destination 204.181.247.80:80 >> >> The first one works fine, but the second one which should >> essentially tell >> the backet to just go right back onto it's local network to find the >> destination, actually ends up connecting to the 172.16.0.17 >> address...which then the routing is messesd up and i never >> see it again. >> >> i try this: >> telnet 172.16.0.18:8001 >> >> here is a tcpdump >> tcpdump -n -i any host 204.181.247.21 and port 8001 -v -w telnet-in >> tcpdump -r telnet-in >> >> 22:10:22.073457 204.181.247.21.1602 > 204.181.247.80.http: S >> 1454746041:1454746041(0) win 5840 <mss 1460,sackOK,timestamp 4064028 >> 0,nop,wscale 0> (DF) [tos >> 0x10] >> 22:10:25.069786 204.181.247.21.1602 > 204.181.247.80.http: S >> 1454746041:1454746041(0) win 5840 <mss 1460,sackOK,timestamp 4064328 >> 0,nop,wscale 0> (DF) [tos >> 0x10] >> 22:10:31.069457 204.181.247.21.1602 > 204.181.247.80.http: S >> 1454746041:1454746041(0) win 5840 <mss 1460,sackOK,timestamp 4064928 >> 0,nop,wscale 0> (DF) [tos >> 0x10] >> 22:10:43.068733 204.181.247.21.1602 > 204.181.247.80.http: S >> 1454746041:1454746041(0) win 5840 <mss 1460,sackOK,timestamp 4066128 >> 0,nop,wscale 0> (DF) [tos >> 0x10] >> >> >> Thanks, >> >> Aaron >> >> > >> >> after the first DNAT >> >> rule that DNATS it back to the lan, it hits "another one" one >> >> that the DNATs it to the DMZ, >> > >> > Once you DNAT, it won't pass any more DNAT rules and exits >> the chain?? Or >> > did I misunderstood it AGAIN.. *reads original mail again* ;) >> > >> > Thanks, >> > ____________________________________________ >> > George Vieira >> > >> > >> >> -----Original Message----- >> >> From: ml@xxxxxxxxxxxxxx [mailto:ml@xxxxxxxxxxxxxx] >> >> Sent: Friday, 31 October 2003 2:03 PM >> >> To: George Vieira >> >> Cc: ml@xxxxxxxxxxxxxx; netfilter@xxxxxxxxxxxxxxxxxxx >> >> Subject: RE: PLEASE HELP with DNAT problem >> >> >> >> >> >> >> I tried to DNAT the lan back >> >> >> to itself and >> >> >> it just isn't working.. >> >> > >> >> > If I think I know what your trying to do, you are doing >> a LAN to LAN >> >> > connection right? >> >> > >> >> > Don't forget that a LAN to LAN DNAT also must have a >> >> POSTROUTING SNAT rule >> >> > so the destination server replies back via the >> firewall/NAT server. >> >> > otherwise it'll reply directly to the client and the client >> >> will drop the >> >> > packet immediately. >> >> Ok..i guess this is what i'm missing. I'm not sure where >> i should be >> >> source natting to however. >> >> >> >> the packet starts at lan....destined for >> internet...now..it supposedly >> >> should get DNATED back to lan..... now like i say..after the >> >> first DNAT >> >> rule that DNATS it back to the lan, it hits another one one >> >> that the DNATs >> >> it to the DMZ, but this one doesn't have the port specific >> >> information, as >> >> normally i'd want it ending up in the DMZ. >> >> >> >> i just don't see how a SNAT fits in here. but then that's >> >> why i'm asking >> >> fr help. >> >> >> >> Thanks agagin >> >> Aaron P. Martinez >> >> > >> >> > Have you done any tcpdumping or -j LOGing?? >> >> > >> >> > Thanks, >> >> > ____________________________________________ >> >> > George Vieira >> >> > Systems Manager >> >> > georgev@xxxxxxxxxxxxxxxxxxxxxx >> >> > >> >> > Citadel Computer Systems Pty Ltd >> >> > http://www.citadelcomputer.com.au >> >> > >> >> > Phone : +61 2 9955 2644 >> >> > HelpDesk: +61 2 9955 2698 >> >> > >> >> > >> >> >> -----Original Message----- >> >> >> From: ml@xxxxxxxxxxxxxx [mailto:ml@xxxxxxxxxxxxxx] >> >> >> Sent: Friday, 31 October 2003 1:18 PM >> >> >> To: netfilter@xxxxxxxxxxxxxxxxxxx >> >> >> Subject: PLEASE HELP with DNAT problem >> >> > >> >> >> >> >> > >> >> >
