Hello,
we got a small problem getting iproute nat capabilities to work:
We change from SuSE 8.2 2.4 kernel to debian. Our test equipment looks like this:
Given is a standard debian 2.6.8-2 kernel for 386; we also added the appropriate kernel headers.
There are two interfaces:
eth0 Protokoll:Ethernet Hardware Adresse 00:02:1E:F1:AA:32
inet Adresse:172.31.27.1 Bcast:172.31.31.255 Maske:255.255.248.0
inet6 Adresse: fe80::202:1eff:fef1:aa32/64 G�ltigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth1 Protokoll:Ethernet Hardware Adresse 00:01:02:04:C2:55
inet Adresse:192.168.2.1 Bcast:192.168.2.255 Maske:255.255.255.0
inet6 Adresse: fe80::201:2ff:fe04:c255/64 G�ltigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Protokoll:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6 Adresse: ::1/128 G�ltigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:16436 Metric:1
In our testing environment, ther are two test machines connecte to each interface with the ip of 172.31.27.10 (1) and 192.168.2.20 (2).
Like it should be, the nets are not routed because ip_forward is set to 0. We open the router together with some logging by iptable (no other rules defined):
echo "Aktiviere Forwarding ..."
# IP Forwarding einschalten
echo 1 > /proc/sys/net/ipv4/ip_forward
#log icmp
iptables -A INPUT -j LOG --log-level notice --log-prefix "INPUT LOG: "
iptables -A FORWARD -j LOG --log-level notice --log-prefix "FORWARD LOG: "
iptables -A OUTPUT -j LOG --log-level notice --log-prefix "OUTPUT LOG: "
# allow icmp
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
From now, test machine1 can ping machine 2 and vice versa:
#~ tail -F /var/log/messages
May 11 16:55:33 T4AC00 kernel: FORWARD LOG: IN=eth0 OUT=eth1 SRC="" DST=192.168.2.20 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=35 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=6144
May 11 16:55:33 T4AC00 kernel: FORWARD LOG: IN=eth1 OUT=eth0 SRC="" DST=172.31.27.10 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=23 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=6144
So, everything look fine. Now we start fast nat. Think the 172 .. net as home-net and the 192.. net as dmz.
To get 192.168.2.20 natted by 172.31.27.20 we can use ip route / ip rule like this:
ip rule add from 192.168.2.20 nat 172.31.27.20 to 172.31.24.0/21 table main prio 100
ip route add nat 172.31.27.20 via 192.168.2.20
These commands work fine on an SuSE 8.2 firewall with 2.4 kernel. The ip route table local output for this route looks like this:
nat 172.31.27.20 via 192.168.2.20 scope host
and the corresponding rule looks like this:
100: from 192.168.2.20 to 172.31.24.0/21 lookup main map-to 172.31.27.20
So far, so good: it looks like it should. But in then end, no natting happend:
May 11 16:52:25 T4AC00 kernel: FORWARD LOG: IN=eth0 OUT=eth1 SRC="" DST=172.31.27.20 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=30 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=4864
May 11 16:52:26 T4AC00 kernel: FORWARD LOG: IN=eth0 OUT=eth1 SRC="" DST=172.31.27.20 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=31 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=5120
What's wrong? From some debian textfiles as well as the .config file, the kernel should be able to perform all iproute commands.
Has anyone an idea what's wrong?
Greetings,
Dr. G�nter Sprakties
- problem with fast nat Guenter . Sprakties
- Re: problem with fast nat Chris Francy
