Re: ipnat 4.1.31

[Steve Clark]

Hello,

I think I figured out a way around my problem by using a null mapping as 
follows:

map eth1 from 192.168.4.0/24  to 192.168.10.0/24 -> 0.0.0.0/0
map eth1 from 172.16.0.0/16  to 172.16.0.0/16 -> 0.0.0.0/0

The above rules simply map the "source" address to itself. So if the destination
is one of the two networks no real translation takes place otherwise we hit one 
of
the rules below.

map eth1 from 192.168.4.0/24 to any port=21 -> 2.2.2.2/32 proxy port 21 ftp/tcp       
                                                                     map eth1 from 
192.168.4.0/24 to any -> 2.2.2.2/32 portmap tcp/udp 40000:60000                       
                                                       map eth1 from 192.168.4.0/24 to 
any -> 2.2.2.2/32

Steve

Steve Clark wrote:

Hi Sergio,

Actually the packets are coming in the eth0 and are being natted before they go 
out the
eth1 interface. Also NAT happens before filtering.

What is happening is I have an ipsec tunnel that the private addresses are 
supposed to
go out on, which is happening, but the source address is being natted to the 
external
interface which really screws up the other end.

BTW this is on linux 2.6.18 (centos 5.2). I am porting software that is 
designed to run
on FreeBSD and it generated fw/nat rules for ipfilter, and it would be a big 
job to convert
the software to generate iptables rules.

I may have to use iptables to do the nat stuff since I can simply add something 
like the following
 $IPTABLES -t nat -A POSTROUTING -s $all -d 10.0.128.0/17 -o $EXTERNAL  -j 
ACCEPT
 $IPTABLES -t nat -A POSTROUTING -s $all -d 172.16.0.0/16 -o $EXTERNAL -j ACCEPT
 $IPTABLES -t nat -A POSTROUTING -s $all  -o $EXTERNAL -j MASQUERADE

Thanks for the response,
Steve

Sergio Rabellino wrote:

Maybe i'm wrong, but why you don't filter the destination addresses with ipfilter rules, on the eth1 interface, so the packets don't reach the nat engine?

Steve Clark ha scritto:

Steve Clark wrote:

Hello,

Currently I have the following nat rule:

map eth1 from 192.168.4.0/24 ! to 192.168.10.0/24 -> 10.0.129.150/32 portmap tcp/udp 40000:60000

which nats everything coming from the 192.168.4.0/24 network unless it is going to the 192.168.10.0/24

network.

Is there a way to specify an additional destination ip address range that is not to be natted, something like:

map eth1 from 192.168.4.0/24 ! to ( 192.168.10.0/24 or 176.16.0.0/16 ) -> 10.0.129.150/32 portmap tcp/udp 40000:60000

Thanks,
Steve

Hmmm....

I guess since no one responded this is not doable with ipfilter or it is so obvious people think I am

a troll.

Regards,
Steve

--
Ing. Sergio Rabellino

Università degli Studi di Torino
Dipartimento di Informatica
ICT Services Director
Tel +39-0116706701  Fax +39-011751603
C.so Svizzera , 185 - 10149 - Torino

<http://www.di.unito.it>