Next-in-Thread Next Message Previous Message Next Thread

Question: still doesn't work... here a detailed scribble...

Forum: Linux IP NAT Forum
Re: Question ipnatadm works, but nothing happens (Sven Woltmann)
Re: Disagree bind rule to an interface (Michael Hasenstein)
Date: Wed, 19 May 1999 09:08:06 GMT
From: Sven Woltmann <sven@woltmann.com>

Here is a detailed scribble of my setup: 
             |---- 216.16.88.0/29 ----|
______             
      \
       \  ___216.16.88.1   216.16.88.2 ___________
        \|   |                    eth1|           |
internet | R |------------------------| Linux box |
        /|___|                _ _     |___________|
       /                       |         |eth0
______/                        |         |10.20.1.1
                          10.20.0.0/16   |      _____________
                               |         |     |             |
                               |   ... --|-----| Mail Server |
                               |         |     |_____________|
                               |         |   10.20.50.2
                               |   ... --|
                               |         |
                              _|_       ...
My assigned "real" ip addresses are 216.16.88.0 to 216.16.88.7.
Behind the firewall I have a private network with IPs 10.20.x.x.

The linux box does
a) masquerading for the 10.20.x.x private network and
b) provide encrypted tunneling with "CIPE" to another network at another location with same setup

a) and b) work properly.

What I now need is:
Access to the mail server from the internet as 216.16.88.4.

For testing NAT, I flushed the IPChains and gave all chains the ACCEPT policy.
Following your advise, Michael, I set up NAT with the following command: 

ipnatadm -I -W eth0 -i -b -o -D 216.16.88.4/32 -N 10.20.50.2/32
This should result in a translation of the destination address at the internal network card.
Hence, the 216.16.88.4 packet must be routed to the internal card.
Here is my routing information: 

Destination  Gateway     Genmask          Flags M R U  Iface
216.16.88.4  *           255.255.255.255  UH    0 0 0  eth0
10.30.1.1    *           255.255.255.255  UH    0 0 0  cipcb0
216.16.88.0  *           255.255.255.248  U     0 0 0  eth1
10.20.0.0    *           255.255.0.0      U     0 0 0  eth0
10.30.0.0    10.30.1.1   255.255.0.0      UG    0 0 0  cipcb0
loopback     *           255.0.0.0        U     0 0 0  lo
default      216.16.88.1 0.0.0.0          UG    0 0 0  eth1
The 10.30.x.x entries route to my other network through the encrypted connection (cipcb0). No I try to ping 216.16.88.4 from the internet. I tcpdump 216.16.88.4 at the external interface and 10.20.50.2 at the internal interface.

When I ping, I have the following logs on my external interface (but no logs on the internal) 

arp who-has 216.16.88.4 tell 216.16.88.1
arp who-has 216.16.88.4 tell 216.16.88.1
arp who-has 216.16.88.4 tell 216.16.88.1
arp who-has 216.16.88.4 tell 216.16.88.1
So I guess, the packets do not even reach the NAT code, because my router (216.16.88.1) does not find the hardware address of 216.16.88.4, where it has to send the 216.16.88.4 packets to.

I already tried the "ARP patch" from Dan Lasley, but that didn't change anything :-(

What else can I try now ???

Next-in-Thread Next Message Previous Message Next Thread

to: "still doesn't work... here a detailed scribble..."

Subscribe Membership Move/Remove Admin Mode Help for HyperNews 1.9.5