Hey,
I am in dire need of some assistance regarding a problematic NAT
setup I am working with right now.
My Goal:
a) To have a working Static (1 to 1) NAT with IPs on my intra-net and
those on the inter-net.
My Situation:
a) I have a cable-modem which has 2 IP addresses bound to it, each IP has
its own gateway on a different subnet.
IP 1 : 24.42.58.175/25 GW : 24.42.58.129 (to be used with LINUX-FIREWALL)
IP 2 : 24.43.5.170/25 GW : 24.43.5.129 (to be used with WIN98PC)
b) My Linux box acts as the firewall/NAT-router for my LAN consisting of 1
additional PC (a windows 98se box).
CABLEMODEM<-(ETH0)->LINUX-FIREWALL<-(ETH1)->WIN98PC
Ethernet devices listed are those on the LINUX-FIREWALL.
The connection between ETH0 and the cable-modem is a
'straight' RJ45 cable. The connection between ETH1 and
the WIN98PC is a crossover cable.
My Problem:
a) The WIN98PC has far too many ports that need to be forwarded out on a
dynamic basis (games/etc apps) and those that use static client ports
which if the same app is run from the LINUX-FIREWALL a conflict
occurs. That and the fact that I have multiple IP addresses; this rules
out masquerading.
b) After creating a kernel capable of Static NAT and grabbing the
iproute2+tc suite I attempt to NAT my WIN98PC with my extra address
intended. However problems arise as follows:
(the box currently has no networking profile and must be initialized)
SCENARIO - 1
# IP address add 24.42.58.175/25 dev eth0 brd +
# ip address add 24.43.5.170/25 dev eth0 brd +
# ip address add 192.168.0.1/24 dev eth0 brd +
# ip address add 127.0.0.1/8 dev lo
# for var in `awk -F ':' '$0 ~! /()/ { printf "%s ",$1 }' /proc/net/dev` \
> do \
> ip link set dev $var up \
> done
# ip route add equalize default \
> nexthop via 24.42.58.129 dev eth0 weight 1 \
> nexthop via 24.43.5.129 dev eth0 weight 1
Provided `ip route' doesn't crap out saying 24.43.5.129 is unreachable
(as its odd to have 2 ips [ not aliases ] on 1 device) we can move along
to performing the NAT.
# ip route add nat 24.43.5.170 via 192.168.0.2
# ip rule add from 192.168.0.2 nat 24.43.5.170
# echo 1 > /proc/sys/net/ipv4/ip_forward
Herin lies the second problem, as long as the ip address we want to NAT
exists locally, RTNETLINK cant/wont add the nat rule. However if we
remove the second ip 24.43.5.170/25 from eth0 adding a route entry
will return as unreachable! So thought to add the arp entry manually, to
fool my routing table into thinking everything was where it should be.
# ip neighbour add 24.43.5.129 lladdr 00:00:77:92:55:D5
Alas, this didn't solve my problems as the routing appeared to still be
broken. Sending an icmp echo-request (type 8) from WIN98PC to some
friendly Internet host while translated did not receive a reply (pinging
that same host locally from the LINUX-FIREWALL did though [no packet
filtering is being run anywhere]).
SCENARIO - 2
Same as SCENARIO - 1 only 24.43.5.170/25 is added as an alias
# ip address 24.43.5.170/25 dev eth0 brd + label eth0:nat0
Same results
NOTE!! - This setup HAS worked 3 times. "Worked" meaning what I outlined
in my goal was happening (hell I was even able to telnet to the WIN98PC's
netbios port from another machine!). However each OTHER time (including
right now and the past week) I tried to reproduce this same situation it
failed. Something I'm not seeing here (order of events, cache times..) is
making and breaking it.
-- Many headaches later --
Save my brain...
=)
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
