Re: Linux NAT and stuff.
On Thu, 30 Dec 1999, Ronald Tin wrote: csthf9 > to change settings there, so I just moved the masquerading job csthf9 > to FW2, and it's working now) ok cool.. csthf9 > csthf9 >2) I cannot connect from any parts of the internal network to the Notes csthf9 > server with the real IP. (I can connect from internal network using csthf9 > the private IP, so I guess it is not the same problem as you stated?) csthf9 > Everybody is satisfied with the current configuration, but it is csthf9 > really ugly to get an "invalid argument" like that. So... are csthf9 > there any possible solutions for this? csthf9 > Ok, first of all do those machines have (1) a route to that machine/network? since it is on another network address apparently(real as opposed to internal) (2) a gateway to a machine that has a route to that network? can the NAT'd machine ping/connect to the notes server? what happens with traceroute ? i spent a week or so setting up a VPN and i can feel the headaches you get with routing! ack i hate it. (but the vpn works flawlessly :) ) nate csthf9 >On Tue, Dec 28, 1999 at 08:27:51PM -0800, aphro wrote: csthf9 >> are you trying to access the NAT'd machine from infront of the debian box csthf9 >> doing the NAT ? from the looks of it you are doing NAT on only part of csthf9 >> the network.. the desktop PCs section (?) You will not be able to access csthf9 >> the NAT'd machines from infront of the debian box doing the NAT even if csthf9 >> its on the same network. If you need this functionality you need something csthf9 >> that can do reverse NAT. csthf9 >> csthf9 >> i hope i understood your problem :) csthf9 >> csthf9 >> nate csthf9 > csthf9 > csthf9 >-- csthf9 >Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null csthf9 > [mailto:[EMAIL PROTECTED] ]-- Vice President Network Operations http://www.firetrail.com/ Firetrail Internet Services Limited http://www.aphroland.org/ Everett, WA 425-348-7336http://www.linuxpowered.net/ Powered By:http://comedy.aphroland.org/ Debian 2.1 Linux 2.0.36 SMPhttp://yahoo.aphroland.org/ -[mailto:[EMAIL PROTECTED] ]-- 3:03pm up 132 days, 2:57, 3 users, load average: 1.70, 1.64, 1.53
Re: Linux NAT and stuff.
There were actually 2 problems. 1) I cannot connect from the desktop machines to the NATd machine using either the private IP nor the real IP. This I have solved. I guess the problem came from the wrong routing table in the Notes server.. (however I am not allowed to change settings there, so I just moved the masquerading job to FW2, and it's working now) 2) I cannot connect from any parts of the internal network to the Notes server with the real IP. (I can connect from internal network using the private IP, so I guess it is not the same problem as you stated?) Everybody is satisfied with the current configuration, but it is really ugly to get an "invalid argument" like that. So... are there any possible solutions for this? On Tue, Dec 28, 1999 at 08:27:51PM -0800, aphro wrote: > are you trying to access the NAT'd machine from infront of the debian box > doing the NAT ? from the looks of it you are doing NAT on only part of > the network.. the desktop PCs section (?) You will not be able to access > the NAT'd machines from infront of the debian box doing the NAT even if > its on the same network. If you need this functionality you need something > that can do reverse NAT. > > i hope i understood your problem :) > > nate
Re: Linux NAT and stuff.
are you trying to access the NAT'd machine from infront of the debian box doing the NAT ? from the looks of it you are doing NAT on only part of the network.. the desktop PCs section (?) You will not be able to access the NAT'd machines from infront of the debian box doing the NAT even if its on the same network. If you need this functionality you need something that can do reverse NAT. i hope i understood your problem :) nate On Tue, 28 Dec 1999, Ronald Tin wrote: csthf9 >Hi all, csthf9 > csthf9 > I am starting to use Debian (potato) as a firewall with NAT functions. csthf9 >I have fast NAT compiled into the kernel, installed iproute2, read csthf9 >through the documentation "ip-cref" and did what was suggested in csthf9 >Appendix C. Everything looks fine. Except ... I cannot connect csthf9 >to the NATed machine from the internal network. csthf9 > csthf9 >My (approx) network topology: csthf9 > csthf9 > INTERNET --- FW1 [172.16.29.254] ---+--- [172.16.28.2] NT Lotus Notes csthf9 > | csthf9 > | csthf9 >[172.16.29.1] csthf9 > FW2 csthf9 >[172.16.28.1] csthf9 > | csthf9 > | csthf9 >[172.16.28.x] csthf9 > desktop PCs csthf9 > csthf9 >(don't ask me why 2 firewalls are needed, I don't know :( ) csthf9 > csthf9 >I have IP Masquerading and the NAT running in FW1 csthf9 >(172.16.28.x uses MASQ, 172.16.29.2 uses NAT and ipchains is csthf9 > set to just forward packets) csthf9 > csthf9 >I can connect to the Notes server from the Internet. csthf9 >desktop PCs can connect to the Internet and the 2 FWs. csthf9 >The 2 FWs, of course, can go anywhere. csthf9 >I can connect from FW1/2 to the Notes server through 172,16.29.2. csthf9 >However (here's the problem), I cannot connect from "desktop PCs" csthf9 >to the Notes server. csthf9 >Also, if I try to connect to the Notes server from FW1 using the csthf9 >NATed address I get an "invalid argument" error. csthf9 > csthf9 >What was the cause of these 2 error? csthf9 > csthf9 >The ip commands are something like this: csthf9 > /sbin/ip route add nat $EXTIP via 172.16.29.2 csthf9 > /sbin/ip rule add prio 1000 from 172.16.29.2 to 172.16.0.0/16 table main csthf9 > /sbin/ip rule add prio 1001 from 172.16.29.2 nat $EXTIP csthf9 > csthf9 >The documentation mentioned a table called "inr.ruhep". csthf9 >Was the name arbitrary? Appendix C mentioned csthf9 >this table should contain "route to the destination", but csthf9 >I don't know what that is supposed to be.. csthf9 > csthf9 > csthf9 >Shall I use FW2 to do masquerading, and FW1 to provide NAT for csthf9 >FW2 and Notes? Will it help the situation? csthf9 >I just noticed that it should be easier to manage this way. csthf9 > csthf9 > csthf9 >(I really think I should have posted it somewhere else. csthf9 > should I? And if yes, where should I post?) csthf9 > csthf9 >Hope it doesn't look too difficult to understand. My english isn't csthf9 >that good. :( csthf9 > csthf9 > csthf9 >-- csthf9 >Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null csthf9 > [mailto:[EMAIL PROTECTED] ]-- Vice President Network Operations http://www.firetrail.com/ Firetrail Internet Services Limited http://www.aphroland.org/ Everett, WA 425-348-7336http://www.linuxpowered.net/ Powered By:http://comedy.aphroland.org/ Debian 2.1 Linux 2.0.36 SMPhttp://yahoo.aphroland.org/ -[mailto:[EMAIL PROTECTED] ]-- 8:11pm up 131 days, 8:04, 3 users, load average: 2.05, 1.63, 1.56
Linux NAT and stuff.
Hi all, I am starting to use Debian (potato) as a firewall with NAT functions. I have fast NAT compiled into the kernel, installed iproute2, read through the documentation "ip-cref" and did what was suggested in Appendix C. Everything looks fine. Except ... I cannot connect to the NATed machine from the internal network. My (approx) network topology: INTERNET --- FW1 [172.16.29.254] ---+--- [172.16.28.2] NT Lotus Notes | | [172.16.29.1] FW2 [172.16.28.1] | | [172.16.28.x] desktop PCs (don't ask me why 2 firewalls are needed, I don't know :( ) I have IP Masquerading and the NAT running in FW1 (172.16.28.x uses MASQ, 172.16.29.2 uses NAT and ipchains is set to just forward packets) I can connect to the Notes server from the Internet. desktop PCs can connect to the Internet and the 2 FWs. The 2 FWs, of course, can go anywhere. I can connect from FW1/2 to the Notes server through 172,16.29.2. However (here's the problem), I cannot connect from "desktop PCs" to the Notes server. Also, if I try to connect to the Notes server from FW1 using the NATed address I get an "invalid argument" error. What was the cause of these 2 error? The ip commands are something like this: /sbin/ip route add nat $EXTIP via 172.16.29.2 /sbin/ip rule add prio 1000 from 172.16.29.2 to 172.16.0.0/16 table main /sbin/ip rule add prio 1001 from 172.16.29.2 nat $EXTIP The documentation mentioned a table called "inr.ruhep". Was the name arbitrary? Appendix C mentioned this table should contain "route to the destination", but I don't know what that is supposed to be.. Shall I use FW2 to do masquerading, and FW1 to provide NAT for FW2 and Notes? Will it help the situation? I just noticed that it should be easier to manage this way. (I really think I should have posted it somewhere else. should I? And if yes, where should I post?) Hope it doesn't look too difficult to understand. My english isn't that good. :(