Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-09-2005, 08:56 AM
|
#1
|
Member
Registered: Feb 2004
Distribution: FC4,RHEL4
Posts: 223
Rep:
|
SNAT working problem(is that configuration problem?)
hello,
I set a 4 computer LAN with configuration as
Code:
HostA
eth0=> 192.168.1.100
Router1
eth0=>10.1.1.1
eth1=>192.168.1.1
Router2
eth0=>10.1.1.100
eth1=>172.16.1.1
HostB
eth0=>172.16.1.100
I added following to iptables
Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
on both Routers as both have eth0 directly connected.
Now,when i ping from HostA to HostB through Router1 and Router2,Router1 has to SNAT and it did and sends a ping to HostB with HostB receiving src ip of
ping packet as that Router1 but reverse pong packet from HostB to HostA does not changes src ip at Router2. why?
|
|
|
05-09-2005, 12:29 PM
|
#2
|
Member
Registered: Feb 2004
Distribution: FC4,RHEL4
Posts: 223
Original Poster
Rep:
|
Nobody knows why SNAT is not working on Router2? Is any more info required?
|
|
|
05-09-2005, 01:01 PM
|
#3
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
I don't see any SNAT rules there...
|
|
|
05-09-2005, 01:13 PM
|
#4
|
Member
Registered: Feb 2004
Distribution: FC4,RHEL4
Posts: 223
Original Poster
Rep:
|
thats strange because Router1 changes srcip of Hosta to its ip 10.1.1.1 when ping packet is sent to hostB from HostA.
If the rules that i specified are not doing that thing then does that mean routers have default behaviour of changing source ip of outgoing packet?
|
|
|
05-09-2005, 01:19 PM
|
#5
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
Do you have "echo 1 > /proc/sys/net/ipv4/ip_forward" performed on both machines?
|
|
|
05-09-2005, 04:38 PM
|
#6
|
Member
Registered: May 2004
Location: Missouri
Distribution: Gentoo
Posts: 59
Rep:
|
Question: From HostA are you pinging HostB (172.16.1.100), or are you pinging Router2 (10.1.1.100)
You should be pinging Router2 and redirecting the ICMP echo request to HostB from Router2. Otherwise you will end up with routing rather than NAT at Router2.
If you make a default policy of "DROP" on inbound eth0, you shouldn't be able to ping HostB the way you are.
Code:
iptables -A INPUT -i eth0 -j DROP
|
|
|
05-09-2005, 09:04 PM
|
#7
|
Member
Registered: Feb 2004
Distribution: FC4,RHEL4
Posts: 223
Original Poster
Rep:
|
Hello Matir,
I have already "echo 1 > /proc/sys/net/ipv4/ip_forward" performed on both machines.
Hello SirGertrude,
From HostA(192.168.1.100) I am pinging HostB (172.16.1.100).
What i want Among Set 3 Networks whenever packet generated for HostB(172.16.1.100) At HostA(192.168.1.100) Router1 has to SNAT for Outgoing Packet from 192.168.1.100 to 10.1.1.1
Similarly, whenever packet generated for HostA(192.168.1.100) At HostB(172.16.1.100), Router2 has to SNAT for Outgoing Packet from 172.16.1.100 to 10.1.1.100
What should i do to achieve this? Because in my current configuartion only Ping originating Host's Router able to SNAT but nor for reply packet from otherside by other sides's Router. why?
|
|
|
05-09-2005, 10:21 PM
|
#8
|
Member
Registered: Jul 2003
Location: Utah
Distribution: Gentoo FreeBSD 5.4
Posts: 150
Rep:
|
This is not working directly to your host because you only have established and related connections accepted comming into your external interface (eth0) out your internal interface (eth1) so anything that tries to come in into host b will not be received originiting from host a because is initial traffic and not established and related
iptables -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
try creating a couple of addtional rules to test ICMP above this that says
iptables -A FORWARD -p icmp -i eth0 -o eth1 -d 192.168.1.100 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p icmp -j DNAT --to-destination 192.168.1.100
and you also want this done on router B that says the same thing for the 172 address
actually that second rule is not needed since you are trying to ping it directly
as long as both routers have the routes for those networks, router 1 knows to forward 172 to router 2 and vice-versa
Last edited by sal_paradise42; 05-09-2005 at 10:29 PM.
|
|
|
05-10-2005, 01:23 PM
|
#9
|
Member
Registered: May 2004
Location: Missouri
Distribution: Gentoo
Posts: 59
Rep:
|
Let me clarify my response. What you should be doing is NAT on both routers. What you are currently doing is NAT on Router1 and routing on Router2. In order for SNAT to occur, the packet must reach the NAT table, which falls after the CONNTRACK and MANGLE table. CONNTRACK keeps track of connections and their state. MANGLE usually just marks a packet.
Here are the steps in your current scenario:
1. Packet leaves HostA (Src: 192.168.1.100, Dst: 172.16.1.100)
2. Packet hits Router1, SNAT takes place for connection originating from within (new Src: 10.1.1.1, Dst: 172.16.1.100)
3. Packet hits Router2, Router2 looks in routing table and finds network 172.16.1.0 is located on eth1. (Src: 10.1.1.1, Dst: 172.16.1.100)
4. Packet is routed to 172.16.1.100 and CONNTRACK marks it for its return. (Src: 10.1.1.1, Dst: 172.16.1.100)
5. HostB recives packet and replies. (Src: 172.16.1.100, Dst: 10.1.1.1)
6. Router2 receives packet and CONNTRACK looks at it FIRST. CONNTRACK recognizes the packet as the reply to the initial request and the packet is accepted to be further routed through the network. Neither the MANGLE nor NAT table even see the packet, therefore it will not go through SNAT process. (Src: 172.16.1.100, Dst: 10.1.1.1)
7. Router1 receives packet (checks CONNTRACK - nothing, checks NAT - sees entry awaiting packets return due to SNAT), then changes destination (DNAT) to HostA. (Src: 172.16.1.100, Dst: 10.1.1.1)
If you were to somehow rig Router2 to preform SNAT on the return packet, it would hit Router1 and be lost. This is because Router1 does not have an entry for a packet from 10.1.1.100, it only has an entry awaiting a packet from 172.16.1.100.
How to do what you want:
Use DNAT at Router2 to to froward ICMP echo requests to HostB (172.16.1.100), then ping Router2 rather than HostB and the ICMP echo request will hit HostB. Here are the steps the packet would take in this case:
1. Packet leaves HostA (Src: 192.168.1.100, Dst: 10.1.1.100)
2. Packet hits Router1, SNAT takes place for connection originating from within (new Src: 10.1.1.1, Dst: 10.1.1.100)
3. Packet hits Router2, Router2 looks at NAT table and finds DNAT entry for ICMP echo request. DNAT changes destination to HostB. (Src: 10.1.1.1, Dst: 172.16.1.100)
4. HostB receives packet and replies (Src: 172.16.1.100, Dst: 10.1.1.1)
5. Router2 receives packet and CONNTRACK looks at it FIRST - nothing, NAT - realizes that this is a response to a previous packet (Due to DNAT) and preforms SNAT. (Src: 10.1.1.100, Dst: 10.1.1.1)
6. Router1 receives packet and realizes that this connection was a result of previous SNATed connection and preforms DNAT to the original source. (Src: 10.1.1.100, Dst: 192.168.1.100)
Done. Neither Host knew who the other host really was. I hopes this makes sense
|
|
|
05-10-2005, 11:28 PM
|
#10
|
Member
Registered: Feb 2004
Distribution: FC4,RHEL4
Posts: 223
Original Poster
Rep:
|
Can you please again specify me what iptable rules should i add at Router1 and Router2 Plzzzzzzz
|
|
|
05-11-2005, 07:17 PM
|
#11
|
Member
Registered: Jul 2003
Location: Utah
Distribution: Gentoo FreeBSD 5.4
Posts: 150
Rep:
|
I think what you want to do, per SirGertrude direction is this rule on router 1, make sure this are all on top of the other rules
iptables -A FORWARD -p icmp -i eth0 -o eth1 -d 192.168.1.100 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p icmp -j DNAT --to-destination 192.168.1.100
and this on router 2, make sure this are all on top of the other rules
iptables -A FORWARD -p icmp -i eth0 -o eth1 -d 172.16.1.100 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p icmp -j DNAT --to-destination 172.16.1.100
and went you ping from host A do a ping to 10.1.1.100 this will be routed to host B in router 2 and it will echo reply back
and from host B do a ping to 10.1.1.1 and this will be routed to host A on router 1 and it will echo reply back
this is assuming that the default gateway for the hosts to ALL traffic is the routers
|
|
|
05-12-2005, 08:18 AM
|
#12
|
Member
Registered: Feb 2004
Distribution: FC4,RHEL4
Posts: 223
Original Poster
Rep:
|
hello all,
Still not able to acheive what i want. Either my network configuration is wrong or I am not able to write iptables rule.
The problem that i am facing is that i want to send any packet(tcp,udp,icmp) from HostA to HostB which must go through Router1 and Router2. For that i added ip forwarding rule
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
Then i add MASQURADE Rule
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
But only Request packet gets its source IP changed not Reply packet does SNAT on Router2 when a Ping packet is sent from HostA to HostB.
As SirGertrude said its because ip_conntrack but its on Both Router1 and Router2. Then how to hack ip_conntack on Router2 to force it do SNAT?
|
|
|
All times are GMT -5. The time now is 03:48 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|