Re: [Masq] no success with iproute2

[Jan Stifter]

/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */


On Tue, 31 Oct 2000 13:57:17 +0100, Jan Stifter <[EMAIL PROTECTED]>
wrote:

>gorgon:~ # ip route add nat 1.2.3.4 via 192.168.0.10 table local
>RTNETLINK answers: Invalid argument
>gorgon:~ #

i solved the problem by enabling all kernel options, that have
something to do with NETLINK or ROUTING TABLES.

now, it works one way round:
packets to a.b.c.d are routed to 192.168.0.10

   | ISP
   | eth0
 +--------------+
 |              |  servers   a.b.c/24
 |   firewall   +-------------------
 |              | eth1       a.b.c.d
 +---+----------+
     | eth2
     |
     |
     | internal 192.168.0.x
     |
     |
     | 192.168.0.10

unfortunately, the return path does still not work.
i would like, that the answer would look, like it came from
a.b.c.d, and not the adress of eth0 (due to masquerading).

my commands:
gorgon:~ # ip route add nat a.b.c.d via 192.168.0.10 table local
gorgon:~ # ip rule add from 192.168.0.10 nat a.b.c.d table local

if i send from extern a packet to a.b.c.d, i can see this packet with
tcpdump on eth2, and i can see the correct answer from the host
192.168.0.10.

on eth0, i can see the correct answer, but onfortunately, the answer
has src address of eth0, and not a.b.c.d, so it is beeing masqueraded
by the ipchains rules.

if i insert the forward rule
gorgon:~ # ipchains -I forward -p tcp -s 192.168.0.10 -j ACCEPT

then, i get the no NAT at all, as can be seen in the log-file:
Oct 31 16:58:55 gorgon kernel: Packet log: output REJECT eth0 PROTO=6
192.168.0.10:80 any.ip.out.side:1218 L=44 S=0x00 I=9711 F=0x4000 T=127
(#10)

so how can i set up the correct return path for this host ?

the perfect solution would be, that only external answers would be
translated, packets to the dmz should not be translated at all.

any hints are _greatly_ appreciated

jan
---
"It took the computing power of three C-64s to fly to the Moon.
 It takes a Pentium to run Windows 95. Something is wrong here."
        -- Anonymous

_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.