Re: Problem with NAT.

From: Yury Shramko (linux@spylog.net)
Date: Mon Nov 27 2000 - 07:40:13 EST


On Fri, 24 Nov 2000, MONZ wrote:
> Yury Shramko wrote:
> > Standart configuration work well (from internal to Internet and back).
> > But when I try work with host in internal zone through external address
> > I fail (only ping working). As I undestand this take place becose in this
> > case NAT make convertion only dst address and not convert src (but for me
> > need make convert on both dst and src).
>
> Some simple ascii drawing showing your NAT-router (firewall?) with IP's
> and some info on what can be done from which IP's to which other IP's
> will help here. Is it a Linux router or a firewall? Do you use
> masquerading?...

I use kernel 2.2.17 with ipchans + iproute2.
I have 3 zone, that connected together with tunnel.
In each zone I have fiewall+gateway host . In main zone (Gold) on this
host I make NAT for private address of all zones. Main problem is :
I must make accessible each private host from anyone from external
address.

----------------------------------------------------------
On GOLD - 192.168.0.1 NAT setup.
 
ip rule add from 192.168.1.2 nat 194.66.33.202
ip route add nat 194.66.33.202 via 192.168.1.2

ip rule add from 192.168.1.3 nat 194.66.33.203
ip route add nat 194.66.33.203 via 192.168.1.3
----------------------------------------------------------
 
gold-192.168.0.1 external-194.66.30.2 tunnel-10.0.0.1,10.0.0.3
192.168.0.0/24 NAT to (194.66.33.0/24)
 
iki-192.168.1.1 external-194.66.31.2 tunnel-10.0.0.2,10.0.0.5
192.168.1.0/24

office-192.168.2.1 external-194.66.32.2 tunnel-10.0.0.4,10.0.0.6
192.168.2.0/24

tunnel gol-iki - 10.0.0.1 - 10.0.0.2
tunnel gold-office - 10.0.0.3 - 10.0.0.4
tunnel iki-office - 10.0.0.5 - 10.0.0.6

Look simple case when I ping from i2 - 192.168.1.2(194.66.33.202 - NAT) to
i3 - 192.168.1.3 (194.66.33.203 - NAT) I get:

i2 - i1 (from 192.168.1.2 to 194.66.33.203) request
i1 - g1 (from 192.168.1.2 to 194.66.33.203) request
g1 - i1 (from 192.168.1.2 to 192.168.1.3) request !!!
              ^^^^^^^^^^^
      here I would like see (from 194.66.33.202 to 192.168.1.3) request
                                 ^^^^^^^^^^^^^
i1 - i3 (from 192.168.1.2 to 192.168.1.3) request
i3 - i2 (from 192.168.1.3 to 192.168.1.2) reply

In this case only ping will be work. All other programs fails.
May be I incorrectly setup nat ?

For this simple case I have desigen - NAT+Masquerade but it work only for
simple case.

With best regards
Yury Shramko

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org



This archive was generated by hypermail 2b29 : Thu Nov 30 2000 - 21:00:28 EST