On Fri, 19 Apr 2002, Antony Stone wrote:
> On Friday 19 April 2002 3:10 am, Donald Thompson wrote:
>
> > I have a linux 2.4.18 firewall using iptables 1.2.5. It only has a single
> > ethernet card, but I use IP alias so that it can talk to an internal
> > (non-routeable) network.
> >
> > iptables -t nat -A PREROUTING -d 4.3.2.2 -j DNAT --to-destination
> > 192.168.0.2
> >
> > That part works great, sort of. However, the machine 192.168.0.2 thinks
> > any DNAT traffic is coming from 192.168.0.1, rather than the appropriate
> > IP address out on the internet.
>
> Have you got any SNAT or MASQUERADING rules as well as the DNAT one you told
> us above ?
Masquerading yes.
> I think you must have, otherwise your internal machines couldn't connect out
> to the Internet, and I suspect you've made it too general (quite easy when
> you only have a single ethernet card in your Firewall - odd choice of how to
> do it...) so that the Firewall is SNATting packets both ways.
>
> Try changing your SNAT or MASQUERADE rule to match only packets with
> (original) source address 192.168.0.x and see if that sorts it out.
Oooh!
That may be the problem because its matching everything on the eth0
interface, and since I'm using ip aliases the rule is actually probably
effective on all those virtual interfaces....
>
> If not, post your full ruleset for us to look at.
Haven't tried yet, need to wait for convenient time before fiddling with
the network. But heres the actual ruleset.
iptables -t nat -A PREROUTING -d 10.194.1.11 -j DNAT --to-destination 192.168.0.10
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Nothing else at this point. I've tried specifying specific destination
ports on the PREROUTING rule, but the result is the same as applying it to
all the ports like I've show here.
One other thing that I originally neglected to mention, but is probably
important is that in order to catch packets for 10.194.1.11 I need to have
an external interface with that IP, because its not functioning as a true
router. So actually I've got 3 IPs on that single interface. 1) Is the
firewall's own IP (10.194.1.10 eth0) , 2) the Address for the machine I do
DNAT to (10.194.1.11 eth0:1), 3) The internal IP (192.168.0.1 eth0:0).
Nothing else.
You'll notice the 10.194.1.11, thats the actual IP i'm doing the DNAT for,
and yes I know its non-routeable IP. The next service provider up the line
does DNAT to us. So its something like:
Provider FW My FW
| |
Some | |
Internet <->routeable <-> 10.194.1.11 <-> 192.168.0.10
IP
Is this setup and getting it working a pipe dream?:)
Our provider has a Sonic firewall appliance thats doing DNAT to us. I
don't *think* the fact that their doing DNAT to us has anything to do with my problem
though.
But it is getting to be a bit boggling when your trying to track down
where packets are coming and going and how they might be altered. The
10.194.x.x network is considered 'hostile', and thus I want to keep any of the
companies traffic that I'm doing the work for seperated from the 10.194.x.x network.
Anything that leaves the 192.168.0.x network should either be software encrypted or
irrelevant traffic.
Since I run our outside connection into a switch (as opposed to a hub or
bridge), I'm hoping and assuming I'm not leaking internal packets out onto the
10.194.x.x network.
One other thing that I suppose could be coming into play is that this
kernel has the FreeSWAN/IPSec patches applied, though the modules are not
loaded. ifconfig -a shows no ipsec interfaces as long as the modules aren't loaded.
The machine that I do DNAT to is a solaris 2.6 box. I got to thinking
that I should check the packets with sniffit or tcpdump on both the
firewall and the solaris box to see if the source address is matching what
the userspace programs are saying it is.
> By the way, why *are* you using only a single ethernet card ?
Its one of those places wheres its a big hassle to buy a few screws, but
its easier for them to pay me for 4 hours of work trying to make
something happen, where it would only take me 15 minutes if I just had the
right piece of equipment. It'd be easier for me to just fish one out of my
spare parts box at home than go through the proper channels. I don't have
a lot of control over what I've got to work with...I just gotta make it work.
-Don
