Re: DNAT problem / question (nfcan: addressed to exclusive sender for this address)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2004.06.18 11:45, Arnauts Bert - Bert.Arnauts@fujitsu- siemens.com wrote:
Hello all,

I am still stuck with my DNAT. I updated the information
that was requested. Could you please check my config, if I execute this I can not ping my internal lan ip of this host 172.25.239.208 any more. I think this is really wierd. I included all kinds of information, hopefully enough for you guys to take a look at.


Cheers,

Bert

$IPTABLES -t nat -A PREROUTING -d 172.25.239.220/27
-j DNAT --to-destination 11.0.0.16

$IPTABLES -t nat -A  OUTPUT -d 172.25.239.220/27
-j DNAT --to-destination 11.0.0.16


The dest ip address/mask pattern looks odd. I am not sure how this address matching works, but the way I imagine it to work is that a mask is generated and applied to an address to test and then this is compared to the address given. That is, I think the address given is not masked. If this is so, then there might be a failure to match destination addresses.

I think a /27 mask is meant to select a
contiguous group of 27 addresses, that is
5 bits. I think masking the 5 low bits of
a number like 220 or 208 gives 192 (xC0)
and a rule like .192/27 would match addresses
in the range 192-223 (xC0-xDF),
where .220/27 might match nothing.

Of course, the code might be written another
way, where this would not be a problem.

You could try logging what is happening
or looking at the counts to see if the
rules are matching. I think this will do it:

iptables -L -t nat -nvx

Jim


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux