Hmm, thats kind of interesting. 1) Do you have ip_forward turned on in the kernel on B?
2) On A, if you use eth0 as the gateway, and send a packet to 192.168.1.3 and then in B if you dnat 192.168.1.3 to 10.1.1.1, it should get sent out eth3 to eth1, where it is handled by whatever you have listening on 10.1.1.1 That should send an ACK back through eth1. This may be all wrong, but I think the elements are there. BobG Neale Pickett <[EMAIL PROTECTED]> wrote on 07 Mar 2002 15:51:09 -0800 >Hi folks. > >I am trying to set up a regression test against a firewall box, using >only one machine. I have a setup like this: > >+--------+ +--------+ >|A | | B| >| eth0+----------------+eth2 | >| | | | >| eth1+----------------+eth3 | >| | | | >+--------+ +--------+ > >Where A's configured like this: > > Linux 2.4.12 > eth0 192.168.1.1/24 > eth1 10.1.1.1/24 > >And B is configured like this: > > Firewall box by $FIRM > eth2 192.168.1.2/24 > eth3 10.1.1.2/24 > >B is also acting as a router from 10.1.1.0/24 to 192.168.1.0/24 and back. > >Now for the question: how can I tell A that for all packets from >192.168.1.1 to 10.1.1.1, it needs to use 192.168.1.2 as a gateway? The >best idea I've had so far is this: > > ip route add 192.168.1.1 via 192.168.1.2 dev eth0 src 10.1.1.1 > >I'm sure my TCP client is binding to 192.168.1.1, but when I try to >connect I get nothing on the wire (the connection does go through, >though). I'm guessing the kernel is taking a shortcut and bypassing >ethernet when it sees that the destination IP is its own. How can I >force the kernel to route this traffic out over its ethernet interfaces? > > >I've also set up B to do port forwarding (say, 192.168.1.2:25 -> >10.1.1.1:25), and tried opening a TCP connection from 192.168.1.1 to >192.168.1.2:25. I can see SYN packets going out to B on eth0, and >coming back on eth1, but nothing ever goes back out eth1 and the >connection is never opened, eventually A times out opening. This fits >in with my theory since B rewrites TCP sequence numbers. > >Obviously, having B port forward both directions would solve the >problem, but then I'm limiting what cases my regression test can cover. > >I can't find anything relevant in the list archives or in general on >google, but I don't really know what keywords to search on--is there a >specific term or phrase for this sort of thing? > >Thanks > >-- >Neale Pickett >Senior Software Engineer, WatchGuard Technologies
