Re: static 1:1 nat did not work

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All those incantations are strange to us here, try just mapping yer public addresses to the external public interface; 

ip addr add pub-IP  ext-if
do that for each address you are 1:1 natting to privates in the inside, see if that works. 

with all the pre/post routing rules in the FW script as well...

thanks,

Ron DuFresne

On Fri, 24 Jun 2005 Guenter.Sprakties@xxxxxxxx wrote:


Hello,

'cause I didn't get iptables nat to work, I switch back to an old 2.4
kernel and iproute2.

Three network segments, one intranet 172... , one dmz 192. .... one
extranet 212.a.b....

iproute2 setting is simple:

       # Fast-NAT für DMZ-Intranet
       ip rule add from 192.168.2.20 nat 172.31.27.20 to 172.31.24.0/24
table dmz prio 100
       ip route add nat 172.31.27.20 via 192.168.2.20 table local
        # Fast-NAT für DMZ-Internet (hier Extranet :-))
       ip rule add from 192.168.2.20 nat 212.a.7b.c table dmz prio 200
       ip route add nat 212.a.b.c via 192.168.2.20 table local
       # Defaultroute einrichten
       ip route add default via 212.117.70.33
       ip route flush cache

ping from 172... to 172.31.27.20 is ok, in iptables we see

      ping  src 172. ... 10   -> 192.168.2.20
      pong src 192.168.2.20 -> 172. ... 10

Now we activated a apache on our test-dmz system and tried to GET the site
from intern.
Surprisire, it didn't work. From the one side, we saw all tcp-packet in
the iptables log, but in the webserver log nothing happens and we got the
message in our browser 'server not found'. With the not natted ip of
192.168.2.20, everything is fine. For testing, we didn't start iptables at
all an dused ip_forward alone, again, we did not get the server while
there was definitive no  rule against routing. And, like i said at the
strart, ICMP work fine.

Any idea? Or wrong group b'cause an apache problem?

Greetings,

Dr. Günter Sprakties
---
- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCvCcpst+vzJSwZikRApJUAJ4p9Ay6mKJH6oLFsNS1iGEfmkbqZACeOb/N
Kivmh9nEKtCcpseLsulcllQ=
=4Zr1
-----END PGP SIGNATURE-----
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux