SNAT problem

From: Chris (chris@ms.black-oak.com)
Date: Sun Jan 06 2002 - 23:43:10 EST


Hi,

Apologies in advance for the lengthy post, but I wanted to provide enough
detail.

I seem to have a strange SNAT problem. I've checked all the obvious things,
and everything looks correct.

I have an IBM XSeries box, running kernel 2.4.17, in a firewall
configuration with 2 nic's, one is an onboard nic with an intel chipset,
(eepro100), the other is a recent PCI intel eepro100 card. The hostname is
os-fw.

Current dmesg output showing detected adapters :

eepro100.c:v1.09j-t 9/29/99 Donald Becker
http://cesdis.gsfc.nasa.gov/linux/drivers/eepro100.html
eepro100.c: $Revision: 1.36 $ 2000/11/17 Modified by Andrey V. Savochkin
<saw@saw.sw.com.sg> and others
eth0: Intel Corp. 82557 [Ethernet Pro 100], 00:02:55:AA:2B:F7, IRQ 27.
  Board assembly ffffff-255, Physical connectors present: RJ45
  Primary interface chip i82555 PHY #1.
    Secondary interface chip i82555.
  General self-test: passed.
  Serial sub-system self-test: passed.
  Internal registers self-test: passed.
  ROM checksum self-test: passed (0x3258698e).
PCI: Enabling device 00:09.0 (0000 -> 0003)
eth1: Intel Corp. 82557 [Ethernet Pro 100] (#2), 00:D0:B7:0E:9C:72, IRQ 10.
  Board assembly 721383-008, Physical connectors present: RJ45
  Primary interface chip i82555 PHY #1.
  General self-test: passed.
  Serial sub-system self-test: passed.
  Internal registers self-test: passed.
  ROM checksum self-test: passed (0x04f4518b).

All I need is to nat traffic from the inside lan out to the internet. (eth0
lan = 10.10.0.0/16) (eth1 internet = 64.45.x.y)

ipv4 forwarding is enabled -

root @ os-fw 11:34pm />sysctl -a | grep "forward"
net.ipv4.conf.ipsec0.mc_forwarding = 0
net.ipv4.conf.ipsec0.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1

root @ os-fw 11:35pm />sysctl -a | grep "rp_filter"
net.ipv4.conf.ipsec0.arp_filter = 0
net.ipv4.conf.ipsec0.rp_filter = 1
net.ipv4.conf.eth1.arp_filter = 0
net.ipv4.conf.eth1.rp_filter = 1
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 0

Current NAT rules -
root @ os-fw 11:32pm />ipt -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 879 packets, 51937 bytes)
 pkts bytes target prot opt in out source
destination

Chain POSTROUTING (policy ACCEPT 200 packets, 14000 bytes)
 pkts bytes target prot opt in out source
destination
   16 1106 SNAT all -- * eth1 10.10.0.0/16
0.0.0.0/0 to:65.45.x.y

Chain OUTPUT (policy ACCEPT 176 packets, 11728 bytes)
 pkts bytes target prot opt in out source
destination

Current filter rules -
root @ os-fw 11:34pm />ipt -L -v -n
Chain INPUT (policy ACCEPT 42731 packets, 9405K bytes)
 pkts bytes target prot opt in out source
destination

Chain FORWARD (policy ACCEPT 264 packets, 19620 bytes)
 pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 50654 packets, 4296K bytes)
 pkts bytes target prot opt in out source
destination
root @ os-fw 11:35pm />

My next hop is a Cisco 1600, with a T1 to the ISP, if that makes any
difference. Simple, right ?

I can make connections just fine out to the internet if I'm sitting on
os-fw. ICMP ping, telnet, ssh, out to anywhere on the internet, works great.

But when I try to make connections from boxes on the 10.10.0.0/16 side of
os-fw, I don't get anything. I've already checked, these boxes are pointing
at os-fw's ip address for their default gw.

I've used tcpdump, and I can see the traffic actually going through os-fw.
(traffic generated from a box inside os-fw, the 10.10.0.0/16 lan, appears on
os-fw's eth1 interface) The weird thing is, the packets are nat'ed through
os-fw, and then seem to die at the 1600 router.

Even stranger, I have another 2.4.17 box that is setup almost exactly the
same, except it's next hop is a cisco 1700, and it has slightly differnet
nic's in it. This box works perfectly.

I'm assuming either nic driver problems, ttl issues or something screwy
going on in the 1600 . . .

Any ideas ?

tia,
Chris Clifton
chris@ms.black-oak.com

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html



This archive was generated by hypermail 2b29 : Mon Jan 07 2002 - 21:00:40 EST