That could be, however at the moment, we are using the standard
Redhat/CentOS iptables startup script. So I think those modules are there.
I can't work on those boxes again until next week, so I'll do more
fiddling then. :)
Dan
Sietse van Zanen wrote:
Seems like a connection trackking problem than.
Are you sure you have all the modules loaded: ip_conntrack.o etc.?
try executing these commands (in your firewall script):
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_nat
modprobe ip_nat
modprobe ip_nat_ftp
modprobe iptable_nat
-Sietse
________________________________
From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Dan Ferris
Sent: Tue 08-Aug-06 14:37
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: 1:1 NAT Help
Forwarding is on in /etc/sysctl.conf
As far as I know the routing is correct. 10.2.253.21 lives off of eth1,
and eth1 has a route for 10.2.0.0/255.255.0.0 (yes it sucks, I didn't
set up the subnets).
tcpdump shows traffic coming into both of the interfaces, which is why
this problem is so frustrating. Oh yes, SNAT works fine. We can set up
a ping from the box behind the firewall to ping the Internet gateway,
and the ping will go through fine. We can see the replies to
204.184.20.221. :(
Dan
Sietse van Zanen wrote:
Then, is forwarding alllowed?
cat 1 > /proc/sys/net/ipv4/ip_forward
And there is a correct route to 10.2.253.21?
If both answer to yes, what do you see when you tcpdump on your internal interface on host 10.2.253.21 and try to connect to 204.184.20.221 from the Internet?
And what do you see when you tcpdump on your external interface for 204.184.20.221, is traffic reaching your firewall?
-Sietse
________________________________
From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Dan Ferris
Sent: Tue 08-Aug-06 14:14
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: 1:1 NAT Help
Yes, because I cleared all the rules and set everything to accept before
testing.
Dan
Sietse van Zanen wrote:
Are you sure, you also allow the connection in the FORWARD chain of the filter table?
iptables -i eth2 -d 10.2.253.21 -j ACCEPT
-Sietse
________________________________
From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Dan Ferris
Sent: Mon 07-Aug-06 20:56
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: 1:1 NAT Help
Dear List,
I have search Google, and the list archives back to 2003 and have found
little information about this particular problem.
First I present to you two very simplified rules.
iptables -A PREROUTING -i eth2 -d 204.184.20.221 -j DNAT --to 10.2.253.21
and
iptables -A POSTROUTING -o eth2 -s 10.2.253.21 -j SNAT --to 204.184.20.221
Having never really delt with 1:1 NAT before, I thought this would "just
work". However, it does not work. The SNAT rule works fine. The DNAT
rule does not work at all. I don't even see packets hitting it.
A few other pieces of information:
1. Proxy arp does not seem to be a problem. When I SSH to the external
IP, I can see the ethernet frames coming into the ethernet interface.
2. I have tried doing: ip addr add 204.184.20.221 dev eth2 and it still
won't work.
We have an old POS box running Debian with Shorewall and kernel 2.4 that
works perfectly with the 1:1 NAT rules. However, the friend I am
helping does not want to use Shorewall, as she wishes to learn iptables
the old fashioned way. The only difference between the old Debian
firewall and the new one is the the new one is running CentOS and the
2.6 kernel.
The old firewall that works has proxy arp turned off and rp_filter
turned on. The new firewall has proxy arp turned off and rp_filter
turned on.
I'm really lost and I used to think I was decent at iptables. So if
anybody can help it would be appreciated.
Thank you!
Dan
--
What do you call a guy with no legs who is waterskiing?
Skip.
--
What do you call a guy with no legs who is waterskiing?
Skip.
--
What do you call a man with no legs who is waterskiing?
Skip.
