are you trying to access the NAT'd machine from infront of the debian box doing the NAT ? from the looks of it you are doing NAT on only part of the network.. the desktop PCs section (?) You will not be able to access the NAT'd machines from infront of the debian box doing the NAT even if its on the same network. If you need this functionality you need something that can do reverse NAT.
i hope i understood your problem :) nate On Tue, 28 Dec 1999, Ronald Tin wrote: csthf9 >Hi all, csthf9 > csthf9 > I am starting to use Debian (potato) as a firewall with NAT functions. csthf9 >I have fast NAT compiled into the kernel, installed iproute2, read csthf9 >through the documentation "ip-cref" and did what was suggested in csthf9 >Appendix C. Everything looks fine. Except ....... I cannot connect csthf9 >to the NATed machine from the internal network. csthf9 > csthf9 >My (approx) network topology: csthf9 > csthf9 > INTERNET --- FW1 [172.16.29.254] ---+--- [172.16.28.2] NT Lotus Notes csthf9 > | csthf9 > | csthf9 > [172.16.29.1] csthf9 > FW2 csthf9 > [172.16.28.1] csthf9 > | csthf9 > | csthf9 > [172.16.28.x] csthf9 > desktop PCs csthf9 > csthf9 >(don't ask me why 2 firewalls are needed, I don't know :( ) csthf9 > csthf9 >I have IP Masquerading and the NAT running in FW1 csthf9 >(172.16.28.x uses MASQ, 172.16.29.2 uses NAT and ipchains is csthf9 > set to just forward packets) csthf9 > csthf9 >I can connect to the Notes server from the Internet. csthf9 >desktop PCs can connect to the Internet and the 2 FWs. csthf9 >The 2 FWs, of course, can go anywhere. csthf9 >I can connect from FW1/2 to the Notes server through 172,16.29.2. csthf9 >However (here's the problem), I cannot connect from "desktop PCs" csthf9 >to the Notes server. csthf9 >Also, if I try to connect to the Notes server from FW1 using the csthf9 >NATed address I get an "invalid argument" error. csthf9 > csthf9 >What was the cause of these 2 error? csthf9 > csthf9 >The ip commands are something like this: csthf9 > /sbin/ip route add nat $EXTIP via 172.16.29.2 csthf9 > /sbin/ip rule add prio 1000 from 172.16.29.2 to 172.16.0.0/16 table main csthf9 > /sbin/ip rule add prio 1001 from 172.16.29.2 nat $EXTIP csthf9 > csthf9 >The documentation mentioned a table called "inr.ruhep". csthf9 >Was the name arbitrary? Appendix C mentioned csthf9 >this table should contain "route to the destination", but csthf9 >I don't know what that is supposed to be.......... csthf9 > csthf9 > csthf9 >Shall I use FW2 to do masquerading, and FW1 to provide NAT for csthf9 >FW2 and Notes? Will it help the situation? csthf9 >I just noticed that it should be easier to manage this way. csthf9 > csthf9 > csthf9 >(I really think I should have posted it somewhere else..... csthf9 > should I? And if yes, where should I post?) csthf9 > csthf9 >Hope it doesn't look too difficult to understand. My english isn't csthf9 >that good. :( csthf9 > csthf9 > csthf9 >-- csthf9 >Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null csthf9 > ----------------------------------------[mailto:[EMAIL PROTECTED] ]-- Vice President Network Operations http://www.firetrail.com/ Firetrail Internet Services Limited http://www.aphroland.org/ Everett, WA 425-348-7336 http://www.linuxpowered.net/ Powered By: http://comedy.aphroland.org/ Debian 2.1 Linux 2.0.36 SMP http://yahoo.aphroland.org/ -----------------------------------------[mailto:[EMAIL PROTECTED] ]-- 8:11pm up 131 days, 8:04, 3 users, load average: 2.05, 1.63, 1.56