Hi Jim,
after rereading #1 I realized it was a null mapping so by doing:
map eth1 from 10.254.1.0/24 to 192.168.0.0/16 -> 0.0.0.0/0
map eth1 from 10.254.1.0/24 to 10.0.0.0/8 -> 0.0.0.0/0
map eth1 from 10.254.1.0/24 to 172.16.0.0/20 -> 0.0.0.0/0
map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32
ipnat seems to do what I need.
Thanks a bunch.
Steve
Jim Klimov wrote:
This needs a bit more thinking, but yes - in my practice
too, you can't make many exceptions with "! destination".
You can have many similar rules like examples 1 and 2.
So you can make many non-nat rules as in example 1, and
follow these rules by NATing other packets going to a
specific range of destinations and/or by default as per
example 2. Might not even need example 3 sometimes.
Steve Clark пишет:
Jim Klimov wrote:
> What I need is to be able to specify instead of "any" only routable
> address ranges. Maybe something like:
> map eth1 from 10.254.1.0/24 to range 0.0.0.1 - 9.255.255.255 ->
> 10.0.133.102/32
Hi, Steve,
You can use subnet notation, i.e. we have rules like these
on Solaris 8 x86, IPF 4.1.28:
1) Don't NAT to a different address (pass packets as is) when
routing to a specific destination subnet (segments of LAN):
map elxl1 from 192.168.129.0/24 to 149.49.64.0/24 -> 0.0.0.0/0
map elxl1 from 192.168.119.0/24 to 192.168.130.0/23 -> 0.0.0.0/0
2) Do NAT certain SRCs going to certain DSTs (remote partner's
office over VPN, they don't know of our 192.168.* addresses):
map elxl1 from 192.168.117.0/24 to 10.1.0.0/16 -> 195.66.181.161/32
3) Do NAT certain SRCs going to "anywhere except certain DSTs":
map elxl1 from 192.168.129.128/27 ! to 192.168.42.0/24 ->
195.66.181.113/32
The above would work if I could specify multiple "! to destinations". In
the specific case
we have multiple non routables on the other side of the gre/vpn, like
10.0.0.0 and 172.16.0.0
so I don't want anything coming from the private network on this side
that is destined to an
address on the other side of the gre/vpn to be natted.
With linux I can:
create a new chain,
iptables -t nat -N mychain
add rules that either accept or masquerade depending on destination
address,
iptables -t nat -A mychain -d 10.0.0.0/24 -o eth1 -j ACCEPT
iptables -t nat -A mychain -d 192.168.0.0/16 -o eth1 -j ACCEPT
iptables -t nat -A mychain -d 172.16.0.0/20 -o eth1 -j ACCEPT
iptables -t nat -A mychain -o eth1 -j MASQUERADE
send all packets to mychain to decide whether to nat or not.
iptables -t nat -A POSTROUTING -o eth1 -j mychain
which creates a new chain that all potential packets that are passed to
- if it the
destination is a private address it is passed to the ACCEPT target so
nothing further happens
if not it hits the MASQUERADE target and is natted.
Hmm... after thinking about it I might not even have to create a new
chain, probably could do it
in the POSTROUTING chain of the nat table.
Thanks,
Steve
Hope these live examples help...
Steve Clark пишет:
Hi Darren,
I am running into a problem with ipnat on linux when using gre over
ipsec. I have gre tunnels
which use non routable address endpoints which are tunneled over
ipsec to run ospf.
my normal ipnat config looks like this on FreeBSD which works but
doesn't on linux:
map eth1 from 10.254.1.0/24 to any port=21 -> 10.0.133.102/32 proxy
port 21 ftp/tcp
map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32 portmap tcp/udp
40000:60000
map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32
The problem is in linux the esp encapulation happens last so anything
going across the gre's is being natted.
What I need is to be able to specify instead of "any" only routable
address ranges. Maybe something like:
map eth1 from 10.254.1.0/24 to range 0.0.0.1 - 9.255.255.255 ->
10.0.133.102/32
Or am I missing something and there is already a way to do this?
BTW if i remove the map eth1 from 10.254.1.0/24 to any ->
10.0.133.102/32
then my gre's work but I can't ping the internet cause the icmp is
not mapped.
Thanks for any advice,
Steve
