On Вск, 2001-10-21 at 09:01, Robin Cook wrote: > Hello David, > > Found the problem to the single ping return. > > iptables -t nat -s 10.1.1.0/24 -o eth0 -j SNAT 172.16.231.57-172.16.231.59 >
Yes I was about to suggest the same. You can also do -i eth1 -o eth0 to match only packets from your internal network. > if I leave the -s 10.1.1.0/24 out, the routing box and the outside box > stop being able to ping to the ISP or Internet (just the first one > returns the rest timeout.) > > So now for the routing box and the outside box I can ping anywhere > and get all responses back. The routing box is also able to ping > the inside boxes. > > The inside boxes can ping the router box and the outside box without > problem but cannot ping the ISP or an internet site. I have also > tried ftp and http protocols from the inside boxes with the same > results. > I have one idea that explains why internal boxes do not work; it does not explain why you can ping external box though :-) It may be possible that for every SNAT rule in POSTROUTING the kernel internal sets up matching DNAT rul in PREROUTING (actually it is really the case). In this case it may happen that your reply packets are not matched because they come to diffrent interfaces. You have eth0 with 61 and eth0:0, eth0:1, eth0:2 with 57, 58, 59 correspondingly. You setup your DNAT for packets coming *out of* eth0; it may be possible that SNAT rule will match only packets coming *into* eth0. But replies packets in this case are coming into *different interfaces*, notably eth0:0 through eth0:2. And are ignored by NAT. I looked into netfilter code but it was way too complicated. Try following. 1. remove all alias interfaces. Define SNAT to basic address only, i.e. to 61 (address of your true interface). See if it works. 2. if it works define static arp entries for your additional addresses; see man arp, it looks like arp -s 172.16.231.57 <ethernet address of eth0> ... check if it works. Is it possible to define alias without defining new interface? > With a sniffer on the outside box I can see all the translated ping > request from an inside box and the returning response. But the > response is not getting translated back and sent to the inside box. > That more or less confirms it; it still does not explain why you can ping external box ... :( -andrej
