Re: How does arp work with NAT=?iso-8859-1?Q?=3F?=

Matthew G. Marsh (mgm@paktronix.com)
Wed, 25 Aug 1999 10:29:13 -0500 (CDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Catalin Muresan: "Re: RAID is a matter of availability, not data security"
Previous message: Alan Cox: "Re: TCP/IP Hangs with 2.2.5 on High Load Server"
In reply to: David Weinehall: "Re: NFS in 2.2.11 (possibly 2.2.x) sucks BIGTIME."

On Wed, 25 Aug 1999, Peter 'Luna' Runestig wrote:

> Hi all,
>
> I have a linux "firewall" with two ip addresses (the actual addresses not shown):
>
> eth0 133.20.12.67
> eth0:0 133.20.12.68

Try using the ip utility to add the address instead of ip aliasing. Do not
use :xx addressing anymore.

> A host on the inside, 192.168.71.33, is NAT'ed to the outside:
>
> [root@fd_router /]# ip rule
> 0: from all lookup local
> 32020: from 192.168.71.33 lookup 3
> 32025: from 192.168.71.33 lookup main map-to 133.20.12.68
> 32766: from all lookup main
> 32767: from all lookup 253
>
> [root@fd_router /]# ipchains -L
> <snip>
> Chain forward (policy DENY):
> target prot opt source destination ports
> ACCEPT all ------ anywhere 192.168.71.33 n/a
> ACCEPT all ------ 133.20.12.68 anywhere n/a
> MASQ all ------ 192.168.71.0/24 anywhere n/a
> <snip>
>
> Now, how is arp requsets handled? A tcpdump of a request to a DNS server, .85, and the following
> arp requets for the target host, .20:
>
> 0:60:97:15:41:48 0:50:4:31:cd:87 0800 79: 133.20.12.68.2605 > 133.20.12.85.53: 1+ (37)
> 0:50:4:31:cd:87 0:60:97:15:41:48 0800 182: 133.20.12.85.53 > 133.20.12.68.2605: 1 1/2/2 (140)
> 0:60:97:15:41:48 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 133.20.12.20 tell 133.20.12.67

Correct. The actual primary address on the box is .67 so it should be
asking.
^^
> 0:8:c7:33:ae:43 0:60:97:15:41:48 0806 60: arp reply 133.20.12.20 is-at 0:8:c7:33:ae:43
>
> It seems that the arp "source address" isn't NAT'ed. Is it supposed to be, or isn't things
> designed that way?

Aliased addresses usually will not participate in arp unless they are on
completely different address spaces. If you code them as independant (/32)
ip addresses added to the same card then they will be treated
independantly and you should see the arp going out on the correct address.

> TIA,
> Peter

--------------------------------------------------
Matthew G. Marsh, President
Paktronix Systems LLC
1506 North 59th Street
Omaha NE 68104
Phone: (402) 932-7250
Email: mgm@paktronix.com
WWW: http://www.paktronix.com
--------------------------------------------------

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Catalin Muresan: "Re: RAID is a matter of availability, not data security"
Previous message: Alan Cox: "Re: TCP/IP Hangs with 2.2.5 on High Load Server"
In reply to: David Weinehall: "Re: NFS in 2.2.11 (possibly 2.2.x) sucks BIGTIME."