Hello all, I'd like to mention a few ideas, and hope that at least some of them are helpful :)
From my practice in building firewall-routers on Solaris 8 and 10, IPFilter itself does not demand that your physical (or VLAN) interface is *configured* in the OS with an IP address which you are NATing/RDRing with. As long as this interface can receive and send packets for the IP address in question, it can NAT them. Configuring an IP address to the aliased interface is just one way to make other systems on the network send these IP packets to this certain interface's MAC address. For example, if this machine is a known gateway to a subnet, and all packets go through it anyway, you can NAT with any address from the protected network by specifying it on the external interface in the ipnat rules, without ifconfig'ing this address to the external interface. So your rule does not seem problematic, although I'd use a specific address, as in the working examples below: rdr dmfe254001 192.168.254.253/32 port 80 -> 192.168.1.70 port 80 tcp or rdr dmfe254001 192.168.254.252/32 port 2270 -> 192.168.1.70 port 22 tcp Another common problem is routing - what does your machine think of the route back to the LDAP client? Perhaps it is using a different interface and/or IP address to originate the responses (i.e. the primary IP of the interface), since LDAP server is bound to loopback and doesn't care about its actual src address? For tests, see if host routes with setsrc help, i.e. server# route add ldapclient/32 gw -setsrc ldap.ser.ver.ext If they help, this is one direction to search for solution... Then you might want to bind the ldap server to the IP address of the aliased interface, for example. Finally, see if you have ipfilter rules prohibiting this sort of connection (to internal-ip port 389/tcp). And at last, for port redirection to loopback or whatever other address, you might like netcat via inetd, instead of ipnat whatsoever. 1) You add this (as a single line!) to /etc/inetd.conf: ldap-3891 stream tcp nowait root /usr/local/bin/nc \ /usr/local/bin/nc -w 3 127.0.0.1 389 (if you also need to set the SRC address, use parameter -s) 2) Add this line to /etc/services: ldap-3891 3891/tcp 3) And in case of Solaris 10, run: # inetconv -i /etc/inetd.conf This should create an SMF inetd service which listens on port 3891/tcp and in case of connections, runs netcat and creates a tunnel to the ldap server. You can expand on this to make a script and "tee" the session's traffic to its individual log file, etc. - quite helpful in debugging stuff :) //Jim Terry Dawson wrote:
Briefly stated, IP filter rules cannot be set for logical interfaces. You must use the associated physical interface. The existence of logical interface is at IP layer. If you set rule for a physical interface then IP filter will see packets destined to all logical interfaces on that physical interface and will NAT/filter all of them. Note that you can set up rules for a virtual (VLAN) interface, for example ce1000. If for some reason setting up the rule for physical interface does not work for you then let us know what you are trying to do and hopefully we can come up with a solution.Thank you Ashwani, Unfortunately using: rdr ce0 0.0.0.0/0 port 3891 -> 127.0.0.1 port 389 doesn't work. When we attempt to connect to the virtual interface ce0:1 packets are swallowed. The connection isn't refused, no association is returned in: ipnat -l and there is certainly no response. We're simply trying to provide a user-transparent means of switching between two LDAP directory instances. We figured port redirection would serve us well and indeed, in our testing it did. On our production machine we've been given a virtual interface to work with and we've encountered this problem. regards Terry
-- +============================================================+ | | | Климов Евгений, Jim Klimov | | технический директор CTO | | ЗАО "ЦОС и ВТ" JSC COS&HT | | | | +7-903-7705859 (cellular) mailto:[email protected] | | CC:[email protected],[email protected] | +============================================================+ | () ascii ribbon campaign - against html mail | | /\ - against microsoft attachments | +============================================================+
