I slowly begin to understand what this is about. another drawing:
Internet
|
|
63.101.129.70 (public IP - controlled by isp)
10.0.40.1/32 (ISP owned; NAT)
|
|
10.0.40.30/32 -------> 168.243.206.8/29 subnet
192.168.1.1/32 NAT
|
|
192.168.1.0/24 LAN
The 168.243.206.8/29 subnet is intended to be connected via 10.0.40.30 and
63.101.129.70 to the internet. Am I right?
If yes, this would mean the isp had to route his 10.0.40/21 subnet into the
internet. AFAIK this is not allowed.
It looks like you have to redesign your network. E.g. like this:
Internet
|
|
router WAN address
router LAN address(e.g. 168.243.206.9)
|
168.243.206.8/29 subnet
|
168.243.206.10
192.168.1.1/32 Linux NAT Box
|
|
192.168.1.0/24 Your LAN
because you cannot route traffic through a RFC 1918 addressed LAN destined
to the internet. Some reasons:
1. traffic MUST be NAT'ed on the gateway masquerading the 10. subnet and
therefore the 10. subnet is unreachable from the internet.
2. it's not allowed by IANA to route IPs of in RFC 1918 defined subnets into
the internet
3. no other ISP ever will set up a route into a 10 subnet and so your hosts
stay unreachable.
what you describe here is not your problem, it's your ISPs. For you, this is
unsolvable. You don't control your isps network unless you don't hack your
ISPs routers.
> -----Urspr�ngliche Nachricht-----
> Von: Oscar Valdez [mailto:[EMAIL PROTECTED]]
> Gesendet: Freitag, 12. April 2002 20:09
> An: Jason Pappas; [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Betreff: Re: Redirecting packets
>
>
> Thank you for your responses and for your drawing, Philipp.
>
> This is the current setup:
>
> Internet
> |
> |
> 63.101.129.70 (public IP - controlled by isp)
> 10.0.40.1/21 (ISP owned; NAT)
> |
> |
> 10.0.40.30/21 (ISP owned; NAT)
> 192.168.1.1/32 NAT
> |
> |
> 192.168.1.0/32 LAN
>
> As for my block of public ip addresses (it�s block
> 168.243.206.8/29, BTW), they
> are being routed by the ISP over to my 10.0.40.30 address. If
> you traceroute to
> 168.243.206.9 (one of my addresses), you�ll see packets
> reaching 63.101.129.70,
> which is the ISP�s NATting box, or router. The ISP has added
> routes for my
> address block, routing them over to address 10.0.40.30 (my
> external interface).
>
> What I�d like to do is to redirect packets received at
> 10.0.40.30 and addressed
> to the 168.243.206.8/29 block to one of my private addresses.
>
> I hope this clarifies my original post.
>
> And thanks for your interest.
>
> Oscar
>
> ----- Original Message -----
> From: "Jason Pappas" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>; "'Oscar Valdez'"
> <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>
> Sent: Friday, April 12, 2002 11:40 AM
> Subject: Re: Redirecting packets
>
>
> If you registered your own block of PUBLIC IP addresses, NAT
> is not the
> solution to get the addresses "visable" on the internet. The
> problem is
> that people on the internet do not know how to get to you.
>
> YOu must set up routing so that people on the internet know
> how to get to
> you. This is non-local (not you linux box) routing.
> Normally this is done
> via BGP. Simple routing rules and NAT entries on your linux
> box won't let
> your new registered address be visible on the internet
> ----- Original Message -----
> From: <[EMAIL PROTECTED]>
> To: "'Oscar Valdez'" <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>
> Sent: Friday, April 12, 2002 1:31 PM
> Subject: AW: Redirecting packets
>
>
> >
> > Hi
> >
> > Please correct me if I'm wrong. But what you describe sound
> incredible to
> > me.
> >
> > i'm not sure whether I got you right. As much as I
> understood you have
> this:
> >
> > Inet (public IP - controlled by isp)
> > 10.0.40.x/32 (ISP owned; NAT)
> > |
> > |
> > 10.0.40.30/32 (ISP owned; NAT)
> > 192.168.1.x/32 NAT
> > |
> > |
> > 192.168.1.0/24 LAN
> >
> > and you want to have this:
> >
> >
> >
> > internet
> > |
> > your.public subnet (NAT; IP owned by you)
> > |
> > isp sets up a route to your public subnet
> > |
> > 10.0.40.30/32 NAT (IP owned by ISP)
> > 192.168.1.x/32 NAT
> > |
> > |
> > 192.168.1.0/24 LAN
> >
> > So your ISP routes your 10.0.40.30 address directly into
> the internet.
> > Hmmm...weird technique. I don't get it.
> >
> > Can you please draw that?
> >
> > Philipp
> >
> > > -----Urspr�ngliche Nachricht-----
> > > Von: Oscar Valdez [mailto:[EMAIL PROTECTED]]
> > > Gesendet: Freitag, 12. April 2002 19:07
> > > An: [EMAIL PROTECTED]
> > > Betreff: Redirecting packets
> > >
> > >
> > > I have a dual-homed Iptables box.
> > >
> > > Both interfaces are using "reserved" ip addresses: eth0 faces
> > > my LAN, and uses
> > > address 192.168.1.1/24, and eth1 faces my ISP�s cable WAN,
> > > and uses address
> > > 10.40.0.30/21.
> > >
> > > My Iptables box source NATs my LAN�s 192.168.1.0/24 packets
> > > to the 10.40.0.30
> > > address. The ISP then source NATs all 10.40.0.0/21 packets
> > > (including mine) to a
> > > public (non-reserved) ip address, connected to the Internet.
> > >
> > > I recently registered my own public (non-reserved) ip
> > > addresses, and my ISP has
> > > added a route to those addresses, routing them over to my
> > > 10.40.0.30 address.
> > >
> > > What I would like to do is to have packets addressed to my
> > > public ip addresses
> > > NAT�ed to the Iptables box, either to address 192.168.1.1 or
> > > to 10.40.0.30.
> > >
> > > I�ve tried three alternatives, all of which have failed:
> > >
> > > 1) # ip route add nat <pubklic addresses> via 192.168.1.1
> > >
> > > 2) on iptables� PREROUTING chain, DNAT --to 192.168.1.1
> > >
> > > 3) on same table, REDIRECT --to 192.168.1.1
> > >
> > > Any suggestions?
> > >
> > >
> > > Oscar A. Valdez
> > >
> > > -----------------------------------------------------------
> > > Hoc est autem iudicium: Lux venit in mundum, et dilexerunt
> > > homines magis tenebras quam lucem; erant enim eorum mala
> > > opera. Omnis enim, qui mala agit, odit lucem et non venit
> > > ad lucem, ut non arguantur opera eius; qui autem facit
> > > veritatem, venit ad lucem, ut manifestentur eius opera,
> > > quia in Deo sunt facta.
> > > Io. 3,19-21
> > > -----------------------------------------------------------
> > >
> > >
> >
> >
>
>
>
