RE: Complex NAT problems /sorry for the formated text

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 2004-05-20 at 07:45, CPD - David CardeÃosa Rubio wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
>  
> 
> Hi 
> 
> I have a strage problem with iptables NAT 
> 
> I try to join 2 net with the same ip. 
> 
> 
> fwinet-2:~# iptables -L -n -t nat -v 
> Chain PREROUTING (policy ACCEPT 41232 packets, 2376K bytes) 
>  pkts bytes target     prot opt in     out     source              
> destination 
>    94  4743 NETMAP     all  --  eth2   *       172.0.0.0/8         
> 172.20.4.0/24       172.16.4.0/24 
>     7   420 NETMAP     all  --  eth1   *       172.16.4.0/24       
> 172.20.3.0/24       172.16.33.0/24 
> 
> Chain POSTROUTING (policy ACCEPT 21845 packets, 1167K bytes) 
>  pkts bytes target     prot opt in     out     source              
> destination 
>     0     0 NETMAP     all  --  *      eth1    172.16.33.0/24      
> 172.16.4.0/24       172.20.3.0/24 
>   654 33367 NETMAP     all  --  *      eth2    172.16.4.0/24       
> 172.0.0.0/8         172.20.4.0/24 
>     0     0 SNAT       all  --  *      eth0    172.16.0.0/16       
> 0.0.0.0/0           to:192.168.8.6 
>     0     0 SNAT       all  --  *      eth0    172.40.40.0/22      
> 0.0.0.0/0           to:192.168.8.6 
>     0     0 SNAT       all  --  *      eth0    172.60.60.0/24      
> 0.0.0.0/0           to:192.168.8.6 
>   394 32515 SNAT       all  --  *      eth0    10.152.24.100       
> 0.0.0.0/0           to:192.168.8.6 
>     0     0 MASQUERADE  all  --  *      eth1    0.0.0.0/0           
> 172.16.4.14 
> 
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) 
>  pkts bytes target     prot opt in     out     source              
> destination 
> 
> 
> The 1Â rule in POSTROUTING table donÂt work, the packets go to the
> inteface eth1 with the original ip, i have the same problem for the
> other NETMAP rules(i also try with SNAT/DNAT) but when y reboot de
> firewall the rules apply correctly.
> 
> This only happend when modify the rules and no reboot, if reboot and
> load the firewall script (with the new rules) all work ok.
> 
> 
> fwinet-2:~# tcpdump -i eth2 -n icmp 
> tcpdump: listening on eth2 
> 13:25:38.157106 172.16.33.1 > 172.20.4.11: icmp: echo request 
> 13:25:39.158705 172.16.33.1 > 172.20.4.11: icmp: echo request 
> 
> fwinet-2:~# tcpdump -i eth1 -n icmp 
> tcpdump: listening on eth1 
> 13:25:43.163094 172.16.33.1 > 172.16.4.11: icmp: echo request 
> 
> ItÂs very strange. 
> 
> fwinet-2:~# uname -a 
> Linux fwinet-2 2.4.26 #2 Mon May 17 21:11:05 CEST 2004 i686 unknown 
<snip>
I can't give you an easy answer but I can suggest some process.  Have
you compared the rule listings before and after a change? Have you
placed logging rules within your rule set to see where the packets are
being unexpectedly accepted or dropped?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@xxxxxxxxxxxxx
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux