NetBSD ipnat problems

Mon, 07 Nov 2005 07:58:29 -0800 

For some reason the firewall I am building is no longer doing nat.
I think the tcpdump for ex0 at the bottom should say from 168.192.136.13 not 10.16.1.100. Can't figure out why. 

Any debugging help would be appreciated.

# ipf -V
ipf: IP Filter: v4.1.3 (396)
Kernel: IP Filter: v4.1.3
Running: yes
Log Flags: 0 = none set
Default: block all, Logging: available
Active list: 0
Feature mask: 0xa
# uname -a

NetBSD newton 2.1 NetBSD 2.1 (FIREWALL) #1: Sun Nov  6 20:56:13 CST 2005 
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/FIREWALL i386


ipnat.conf
# -------------------------------------------------------------------------
# Use ipfilter ftp proxy for ftp client transfers mode: active
map tlp0 10.16.1.0/24 -> 0/32 proxy port ftp ftp/tcp

# Map all tcp and udp connections from 192.168.1.0/24 to external IP addres

# changing the source port number to something between 40,000 and 60,000 
in            ve

map tlp0 10.16.1.0/24 -> 0/32 portmap tcp/udp 40000:60000

# For all other IP packets, map to the external IP address
map tlp0 10.16.1.0/24 -> 0/32

/etc/ipf.conf
pass in all
pass out all

/etc/sysctl.conf
net.inet.ip.forwarding=1

# netstat -rn
Routing tables

ex0 is external nic
tlp0 is internal nic


# ifconfig -a
tlp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:04:5a:4a:a4:5f
        media: Ethernet none (none)
        inet 10.16.1.1 netmask 0xffffff00 broadcast 10.16.1.255
ex0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        capabilities=7<IP4CSUM,TCP4CSUM,UDP4CSUM>
        enabled=0
        address: 00:50:da:2d:be:3a
        media: Ethernet none (none)
        inet 168.192.136.13 netmask 0xffffff00 broadcast 168.192.136.255
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 33196
        inet 127.0.0.1 netmask 0xff000000
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500

Internet:
Destination   Gateway            Flags     Refs     Use    Mtu  Interface
default       64.81.136.1        UGS         1      671      -  ex0
10.16.1/24    link#1             UC          2        0      -  tlp0
10.16.1.10    link#1             UHLc        0        1      -  tlp0
10.16.1.100   link#1             UHLc        1        2      -  tlp0
168.192.136/24  link#2             UC          2        0      -  ex0
168.192.136.1   00:90:1a:40:8f:c8  UHLc        1        0      -  ex0
127/8         127.0.0.1          UGRS        0        0  33196  lo0
127.0.0.1     127.0.0.1          UH          1        4  33196  lo0


On an internal node (10.16.1.100)
ping yahoo.com

On the netbsd box.
tcpdump tlp0 host 10.16.1.100
tcpdump: listening on tlp0

09:49:22.760785 10.16.1.1.40005 > 10.16.1.100.ssh: P 
1608206970:1608207018(48) ack 3894317329 win 65535 (DF) [tos 0x10]
09:49:22.763303 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain: 
38987+ A? yahoo.com. (27) (DF)
09:49:22.763442 10.16.1.100.ssh > 10.16.1.1.40005: P 1:49(48) ack 48 win 
8704 (DF) [tos 0x10]
09:49:22.960039 10.16.1.1.40005 > 10.16.1.100.ssh: . ack 49 win 65535 
(DF) [tos 0x10]
09:49:27.767555 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain: 
38987+ A? yahoo.com. (27) (DF)
09:49:32.777534 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain: 
38987+ A? yahoo.com. (27) (DF)
09:49:37.787634 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain: 
38987+ A? yahoo.com. (27) (DF)
09:49:42.797797 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain: 
38988+ A? yahoo.com. (27) (DF)
09:49:47.807714 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain: 
38988+ A? yahoo.com. (27) (DF)
09:49:52.817867 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain: 
38988+ A? yahoo.com. (27) (DF)
09:49:57.829560 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain: 
38988+ A? yahoo.com. (27) (DF)
09:50:02.839068 10.16.1.100.ssh > 10.16.1.1.40005: P 49:145(96) ack 48 
win 8704 (DF) [tos 0x10]
09:50:02.839078 10.16.1.100.ssh > 10.16.1.1.40005: P 145:209(64) ack 48 
win 8704 (DF) [tos 0x10]
09:50:02.839236 10.16.1.1.40005 > 10.16.1.100.ssh: . ack 209 win 65535 
(DF) [tos 0x10]


# tcpdump -i ex0 host 10.16.1.100
tcpdump: listening on ex0

09:49:22.763379 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain: 
38987+ A? yahoo.com. (27) (DF)
09:49:27.767619 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain: 
38987+ A? yahoo.com. (27) (DF)
09:49:32.777595 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain: 
38987+ A? yahoo.com. (27) (DF)
09:49:37.787690 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain: 
38987+ A? yahoo.com. (27) (DF)
09:49:42.797853 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain: 
38988+ A? yahoo.com. (27) (DF)
09:49:47.807770 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain: 
38988+ A? yahoo.com. (27) (DF)
09:49:52.817983 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain: 
38988+ A? yahoo.com. (27) (DF)
09:49:57.829617 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain: 
38988+ A? yahoo.com. (27) (DF)



--
Steve Pribyl
Steve AT NetFuel dot com
Computer Infrastructure Practitioner



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to