LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-09-2005, 09:56 AM   #1
cranium2004
Member
 
Registered: Feb 2004
Distribution: FC4,RHEL4
Posts: 223

Rep: Reputation: 30
SNAT working problem(is that configuration problem?)


hello,
I set a 4 computer LAN with configuration as
Code:
HostA
eth0=> 192.168.1.100

Router1
eth0=>10.1.1.1
eth1=>192.168.1.1

Router2
eth0=>10.1.1.100
eth1=>172.16.1.1

HostB
eth0=>172.16.1.100
I added following to iptables
Code:
 
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
iptables -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
on both Routers as both have eth0 directly connected.
Now,when i ping from HostA to HostB through Router1 and Router2,Router1 has to SNAT and it did and sends a ping to HostB with HostB receiving src ip of
ping packet as that Router1 but reverse pong packet from HostB to HostA does not changes src ip at Router2. why?
 
Old 05-09-2005, 01:29 PM   #2
cranium2004
Member
 
Registered: Feb 2004
Distribution: FC4,RHEL4
Posts: 223

Original Poster
Rep: Reputation: 30
Nobody knows why SNAT is not working on Router2? Is any more info required?
 
Old 05-09-2005, 02:01 PM   #3
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 126Reputation: 126
I don't see any SNAT rules there...
 
Old 05-09-2005, 02:13 PM   #4
cranium2004
Member
 
Registered: Feb 2004
Distribution: FC4,RHEL4
Posts: 223

Original Poster
Rep: Reputation: 30
thats strange because Router1 changes srcip of Hosta to its ip 10.1.1.1 when ping packet is sent to hostB from HostA.
If the rules that i specified are not doing that thing then does that mean routers have default behaviour of changing source ip of outgoing packet?
 
Old 05-09-2005, 02:19 PM   #5
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 126Reputation: 126
Do you have "echo 1 > /proc/sys/net/ipv4/ip_forward" performed on both machines?
 
Old 05-09-2005, 05:38 PM   #6
SirGertrude
Member
 
Registered: May 2004
Location: Missouri
Distribution: Gentoo
Posts: 59

Rep: Reputation: 15
Question: From HostA are you pinging HostB (172.16.1.100), or are you pinging Router2 (10.1.1.100)

You should be pinging Router2 and redirecting the ICMP echo request to HostB from Router2. Otherwise you will end up with routing rather than NAT at Router2.

If you make a default policy of "DROP" on inbound eth0, you shouldn't be able to ping HostB the way you are.

Code:
iptables -A INPUT -i eth0 -j DROP
 
Old 05-09-2005, 10:04 PM   #7
cranium2004
Member
 
Registered: Feb 2004
Distribution: FC4,RHEL4
Posts: 223

Original Poster
Rep: Reputation: 30
Hello Matir,
I have already "echo 1 > /proc/sys/net/ipv4/ip_forward" performed on both machines.

Hello SirGertrude,
From HostA(192.168.1.100) I am pinging HostB (172.16.1.100).
What i want Among Set 3 Networks whenever packet generated for HostB(172.16.1.100) At HostA(192.168.1.100) Router1 has to SNAT for Outgoing Packet from 192.168.1.100 to 10.1.1.1
Similarly, whenever packet generated for HostA(192.168.1.100) At HostB(172.16.1.100), Router2 has to SNAT for Outgoing Packet from 172.16.1.100 to 10.1.1.100
What should i do to achieve this? Because in my current configuartion only Ping originating Host's Router able to SNAT but nor for reply packet from otherside by other sides's Router. why?
 
Old 05-09-2005, 11:21 PM   #8
sal_paradise42
Member
 
Registered: Jul 2003
Location: Utah
Distribution: Gentoo FreeBSD 5.4
Posts: 150

Rep: Reputation: 16
This is not working directly to your host because you only have established and related connections accepted comming into your external interface (eth0) out your internal interface (eth1) so anything that tries to come in into host b will not be received originiting from host a because is initial traffic and not established and related
iptables -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT

try creating a couple of addtional rules to test ICMP above this that says

iptables -A FORWARD -p icmp -i eth0 -o eth1 -d 192.168.1.100 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p icmp -j DNAT --to-destination 192.168.1.100

and you also want this done on router B that says the same thing for the 172 address

actually that second rule is not needed since you are trying to ping it directly
as long as both routers have the routes for those networks, router 1 knows to forward 172 to router 2 and vice-versa

Last edited by sal_paradise42; 05-09-2005 at 11:29 PM.
 
Old 05-10-2005, 02:23 PM   #9
SirGertrude
Member
 
Registered: May 2004
Location: Missouri
Distribution: Gentoo
Posts: 59

Rep: Reputation: 15
Let me clarify my response. What you should be doing is NAT on both routers. What you are currently doing is NAT on Router1 and routing on Router2. In order for SNAT to occur, the packet must reach the NAT table, which falls after the CONNTRACK and MANGLE table. CONNTRACK keeps track of connections and their state. MANGLE usually just marks a packet.

Here are the steps in your current scenario:

1. Packet leaves HostA (Src: 192.168.1.100, Dst: 172.16.1.100)

2. Packet hits Router1, SNAT takes place for connection originating from within (new Src: 10.1.1.1, Dst: 172.16.1.100)

3. Packet hits Router2, Router2 looks in routing table and finds network 172.16.1.0 is located on eth1. (Src: 10.1.1.1, Dst: 172.16.1.100)

4. Packet is routed to 172.16.1.100 and CONNTRACK marks it for its return. (Src: 10.1.1.1, Dst: 172.16.1.100)

5. HostB recives packet and replies. (Src: 172.16.1.100, Dst: 10.1.1.1)

6. Router2 receives packet and CONNTRACK looks at it FIRST. CONNTRACK recognizes the packet as the reply to the initial request and the packet is accepted to be further routed through the network. Neither the MANGLE nor NAT table even see the packet, therefore it will not go through SNAT process. (Src: 172.16.1.100, Dst: 10.1.1.1)

7. Router1 receives packet (checks CONNTRACK - nothing, checks NAT - sees entry awaiting packets return due to SNAT), then changes destination (DNAT) to HostA. (Src: 172.16.1.100, Dst: 10.1.1.1)


If you were to somehow rig Router2 to preform SNAT on the return packet, it would hit Router1 and be lost. This is because Router1 does not have an entry for a packet from 10.1.1.100, it only has an entry awaiting a packet from 172.16.1.100.

How to do what you want:

Use DNAT at Router2 to to froward ICMP echo requests to HostB (172.16.1.100), then ping Router2 rather than HostB and the ICMP echo request will hit HostB. Here are the steps the packet would take in this case:

1. Packet leaves HostA (Src: 192.168.1.100, Dst: 10.1.1.100)

2. Packet hits Router1, SNAT takes place for connection originating from within (new Src: 10.1.1.1, Dst: 10.1.1.100)

3. Packet hits Router2, Router2 looks at NAT table and finds DNAT entry for ICMP echo request. DNAT changes destination to HostB. (Src: 10.1.1.1, Dst: 172.16.1.100)

4. HostB receives packet and replies (Src: 172.16.1.100, Dst: 10.1.1.1)

5. Router2 receives packet and CONNTRACK looks at it FIRST - nothing, NAT - realizes that this is a response to a previous packet (Due to DNAT) and preforms SNAT. (Src: 10.1.1.100, Dst: 10.1.1.1)

6. Router1 receives packet and realizes that this connection was a result of previous SNATed connection and preforms DNAT to the original source. (Src: 10.1.1.100, Dst: 192.168.1.100)

Done. Neither Host knew who the other host really was. I hopes this makes sense
 
Old 05-11-2005, 12:28 AM   #10
cranium2004
Member
 
Registered: Feb 2004
Distribution: FC4,RHEL4
Posts: 223

Original Poster
Rep: Reputation: 30
Can you please again specify me what iptable rules should i add at Router1 and Router2 Plzzzzzzz
 
Old 05-11-2005, 08:17 PM   #11
sal_paradise42
Member
 
Registered: Jul 2003
Location: Utah
Distribution: Gentoo FreeBSD 5.4
Posts: 150

Rep: Reputation: 16
I think what you want to do, per SirGertrude direction is this rule on router 1, make sure this are all on top of the other rules

iptables -A FORWARD -p icmp -i eth0 -o eth1 -d 192.168.1.100 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p icmp -j DNAT --to-destination 192.168.1.100

and this on router 2, make sure this are all on top of the other rules

iptables -A FORWARD -p icmp -i eth0 -o eth1 -d 172.16.1.100 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p icmp -j DNAT --to-destination 172.16.1.100

and went you ping from host A do a ping to 10.1.1.100 this will be routed to host B in router 2 and it will echo reply back

and from host B do a ping to 10.1.1.1 and this will be routed to host A on router 1 and it will echo reply back

this is assuming that the default gateway for the hosts to ALL traffic is the routers
 
Old 05-12-2005, 09:18 AM   #12
cranium2004
Member
 
Registered: Feb 2004
Distribution: FC4,RHEL4
Posts: 223

Original Poster
Rep: Reputation: 30
hello all,
Still not able to acheive what i want. Either my network configuration is wrong or I am not able to write iptables rule.
The problem that i am facing is that i want to send any packet(tcp,udp,icmp) from HostA to HostB which must go through Router1 and Router2. For that i added ip forwarding rule

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

Then i add MASQURADE Rule

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
But only Request packet gets its source IP changed not Reply packet does SNAT on Router2 when a Ping packet is sent from HostA to HostB.
As SirGertrude said its because ip_conntrack but its on Both Router1 and Router2. Then how to hack ip_conntack on Router2 to force it do SNAT?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Lan configuration problem - NFS boot problem - RX&TX packets errors 242VDM242 Linux - Networking 4 11-25-2004 02:35 PM
X configuration problem - OR - Where did the configuration tool go??? t3kn0lu5t Debian 3 09-25-2003 08:19 PM
snat problem piti Linux - Networking 1 07-15-2003 04:18 AM
Problem with X configuration Waldi Slackware 2 07-01-2003 03:31 PM
Configuration problem kabong Linux - General 1 08-18-2001 11:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration