| |
| |
| |
|
Comments:
<0> Howdy #netfilter!
<0> I have a NAT puzzle (well, it's puzzling me) to pose if anyone cares to listen!
<0> RNAT, to be specific...
<1> can you be more specific?
<0> sorry, waiting for a nibble...
<0> Ok, here goes...
<0> 2 IP's, one NIC...
<0> NIC is in linux kernel 2.6 gateway running many things, including webserver
<0> Another windoze 2003 server web-app server
<0> needs one of those IP's, can't get at it, IP doesn't resolve to it... everything looks like it should work...
<0> then some clever bugger mentions reverse NAT and I replied... "HUH?"
<1> "one of those IPs"?
<0> Sorry, 2 ip's(public)
<1> the two-NIC box has two public IPs, or one public and one private?
<0> x.x.x.195 feeds the gateway and LAN with inet
<1> er, one-NIC-two-IP, not two-NIC
<0> x.x.x.196 feeds the web-app(supposed to, at least)
<0> aye, second response is correct
<1> ok, so win2k3 has linux as gateway; linux is (trying to) do DNAT to windows?
<0> problem is, as soon as I enable the NAT, the .196 machine is suddenly cut off from everything except local traffic (LAN)
<0> aye
<1> is SNAT working anyway?
<1> did you sepcify a -d on your DNAT rule? otherwise it'll catch everything
<0> I'm afraid that I'm kinda new at this, and command-line iptables is new to me
<0> I'm using a nice comfy web interface... a
<0> and it's not showing the actual iptables rules
<0> If I knew where to look I could find it... sorry for the newbness
<1> iptables -t nat -vL will show the NAT rules
<0> kk, just a sec...
<1> in #iptables there's a nice bot :)
<0> unfortunately, i'm also a COMPLETE irc newb too... (first night)
<0> ok, iptables is lookin kinda empty with that set of switches... let me check something first...
<1> it should only have one or two rules in it, since you're just looking at NAT
<0> only the one
<0> and it is...
<0> "1975 97911 MASQUERADE all -- any eth0 anywhere anywhere " in POSTROUTING
<0> ok, the NAT was turned off... let me check again
<1> ok. you may have to change that since it's a one-NIC gateway. That will change all connections to have the source of eth0's IP
<1> shouldn't be a big problem though, just breaks logs
<0> ok...
<0> well, since i've just 'turned on' the NAT in the web interface, a couple more rules show up now... can I post them?
<0> PREROUTING:
<1> use pastebin.com if there are lots
<0> No, just 3
<0> that cool?
<1> ok, that's fine
<0> PREROUTING:
<0> 0 0 DNAT all -- any any anywhere 66.119.183.1 96 to:192.168.1.127
<0> POSTROUTING:
<0> 0 0 SNAT all -- any any staging01 anywhere to:x.x.x.196
<0> 1 45 MASQUERADE all -- any eth0 anywhere anywhere
<0> that's it, OUTPUT is empty
<0> all 3 have policy of ACCEPT
<0> sorry for the wierd cut and paste action... (blushes)
<1> what is staging01? rerun with -n if needed
<0> staging01 is the 2003 server's name... should be private .127
<0> confirmed, it resolves to 192.168.1.127
<1> right. I'd try removing the MASQUERADE rule, see if that helps
<0> ok... looks like a crash course in iptables is in the near future... thanks.
<0> wow, pastebin.com is neat!
<0> thanks a bunch danieldg
<2> gug
<3> gug
<4> gug
<5> gug
<6> hi
<6> how can I create a socket forcing source address to another address?
<7> hi folx
<7> does anybody knows of a success story with UDP forwarding and iptables (ebtables or whatever) in the special case where we want broadcast on a specific net be forwarded to another broadcast net ?
<7> (the question may be worth asking here too...)
<7> looks like there is no such feature supported by netfilter
<8> how do you MASQUERADE packets coming in and going out the same interface ?
<9> hi guys, im trying to setup a ipsec connection between 2 masquerading gateways in tunnel mode, the private ip nets can comunicate, however the actual gws can't, the reason im asking here is that i noticed private net traffic was goin thorugh the filter table but the gw->gw traff was turning up in prerouting in nat table
<9> is this normal behaviour?
<2> everything goes through prerouting
<2> goraxe, check this pic to get some basic idea.. http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow9.png
<2> you'll notice the yellow filter boxes and the group PREROUTING
<9> xkr47: thank you this is exactly the sorta thing i was lookin for
<2> :)
<2> feel free to ask if you want to understand more
<2> please note the ipsec tunnel arrows
<9> okay the arrows are representive to de-encapsulation?
<9> so ipsec packet then, payload packet?
<2> goraxe, yes..
<2> so the ipsec packet goes PREROUTING -> INPUT, then the ipsec headers are removed and the packet enters the PREROUTING again, and then it goes to FORWARD (***uming it's heading for the internal network)
<9> ah right so the fact that its not going to forward i can ***ume the packet is being deliverd localy its the echo response that is not being routed correctly
<9> right the packet has a src of the public ip of gw B (dst private address of gw A) do i need to snat the packet to the private addr of gw B or is there a better way of doing it?
<2> goraxe, please prefix with my nick so I notice your messages with a lower latency than this horrible 5-15 minute :)
<9> xkr47: sorry, sure thing ;-)
<2> I'm not completely following your setup but you might need some snat/dnatting to get the gw-gw stuff working I suppsoe
<10> hello
<2> goraxe, (I'm not an expert on ipsec, but I've used other kinds of tunneling, ipv6 more specifically)
<2> descartes, well hello there! how do you do :)
<10> good I guess... what about you?
<2> great, just had the last test this semester
<2> so I feel free for a little tiny winy afternoon .)
<9> xkr47: unfortunaly neither am i, I tried setting up a ppp over ssh tunnel but had problems with tty device, this is second attempted, would be nice to get gws talkin so can resolve dns etc
<10> xkr47, that's good
<9> xkr47: but other than that happy that the nets can talk, next prob to solve after this one is net b has a dyn ip (currently just changing ip in script by hand)
<2> I actually got ssh-pppd working but it broke up a lot, and having tcp as a tunneling protocol is not a good solution anywyay..
<10> I have a little problem, I have a machine with a webserver in my internal network(via wifi) and I'm trying to map that machine so external users can reach it, I'm using dnat, I have a machine via ethernet (not wifi) with the same config and the dnat works, but with wifi it doesn't is there somekind of timeout problem with netfilter?
<10> (because users trying to reach the wifi machine suffers timeout, ping from the ethernet machine it's 0.35ms and from the wifi 4.5ms)
<2> goraxe, I've needed to resort to some extra snat/dnatting myself too.. but don't be afraid and try to avoid it.. it's not necessary.. it works great :9
<2> descartes, the timeouts are really long in nat, shouldn't be a problem..
<2> descartes, have you tried using some network traffic monitoring tool like tcpdump or ethereal to see what happens to your packets ?
<10> yes, they reach the router machine (the one at the top of the intranet) but they don't reach the other machines
<2> did you try monitoring the wifi & lan interfaces also ?
<9> xkr47: iv used dnat more than once for ip forwarding/port, think had to do snat once for a case when ftp server behind nat and client behind nat but was quite some time ago now, but thanks once again for help/knowledge/that png been lookin for something like that for a while
<2> descartes, i.e. do the packets get natted similarly in both cases.. and then the next step would be to verify the same in the server machines that you are dnatting to.. and so on, one step at a time
<10> iptables -A block -p tcp --dport 80 -j ACCEPT and iptables -t nat -A PREROUTING -p tcp -d ${IP} --dport 80 -j DNAT --to 192.168.0.1:80
<2> goraxe, sometimes you even need to use both snat and dnat on the same router :)
<2> descartes, sure.. try the monitoring in each network card and on the servers to see where the problem appears..
<2> because wifi really doesn't make a difference unless you also apply some extra encryption on top of it
<9> xkr47: quirky, don't really wanna think about that at this time in the eve, i can feel the headache start allready ;-)
<2> goraxe, hehe yeah and you might make a mess of it and need to work on it all night to fix it.. ;)
<2> goraxe, but if you have some problems still later, there are others here who might be able to help also.. and I'm quite certain there are some ipsec channels or forums elsewhere also
<9> xkr47: yeah noticed a mailing list or two, havn't run across any irc channels yet (still lookin though)
<2> :)
<10> is there a way to track what netfilter is doing with a conection without coding a kernel module?
<11> hello everyone, i have a question regarding linux masquerading, why when i try to masq pptp winxp client, it won't connect, i've seen that maybe i have to patch the kernel, i'm using slackware 10.2 and kernel 2.4.31, and i've also double checked the firewall, am i missing something? thanks for your help
<12> back
<11> anyone had this problem?
<11> is there a fix?
<7> I solved my "forward broacast" problem using INPUT chain, addrtype matcher, QUEUE target, and python userspace doing packet manipulation
<7> does anybody knows about a better solution ?
<11> hello everyone, i have a question regarding linux masquerading, why when i try to masq pptp winxp client, it won't connect, i've seen that maybe i have to patch the kernel, i'm using slackware 10.2 and kernel 2.4.31, and i've also double checked the firewall, am i missing something? thanks for your help
<13> don't think there's a better one possible with iptables, the problem is that received broadcast packets have a broadcast flag set which makes the ipstack unwilling to route the packets
<13> so one would need to remove that on receive, and then I think you need to set it again after routing in order to get the packet actually broadcasted
<9> matth_: have you investigated bridging the interfaces (i am ***uming you have two interfaces+) im not sure if this will then forward broadcasts, but would prob we worth checkin out?
Return to
#netfilter
or
Go to some related
logs:
config server_config.php
zire ubuntu jpilot
#lisp
#perl
#perl
PHP+Startup:+Unable+to+load+dynamic+library+%27./mssql.so%27
#centos
how to enable su in ubuntu
ubuntu esd stale socket
wk1004 keyboard
|
|
