[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Problem with mapping
From:       System Administrator <root () bridge ! millstream ! net>
Date:       1997-09-29 20:30:15
[Download RAW message or body]


We have a bridge machine on our network doing NAT between an internal
network (10.x) and an external gateway (208.12.120.209).  The bridge
machine is a multihomed host with network cards on 10.0.0.1 and
208.12.120.211; the 208 subnet is a 16-address network starting at
208.12.120.208.

We are trying to get NAT working properly, but I think a routing element
is missing somewhere in our configuration.  As per instructions, I created
mapping rules like this, with ed0 on our internal network and ed1 on the
same network as our Internet connectivity:

map ed1 10.0.0.0/8 208.12.120.211/32 portmap tcp/udp 10000:65000 
map ed1 10.0.0.0/8 208.12.120.211/32

Other machines on our internal network are on 10.0.0.x, where x is between
1 and 254, inclusive.  These machines use 10.0.0.1 as the gateway.

When machines internal to our network (10.x) try to use FTP to connect to
sites such as ftp.adobe.com, validation fails because they see a
connection coming in from 10.x instead of 208.12.120.211.  However, ipnat
-f shows that a valid mapping was made.  I also get error messages from
our console saying "PUNT:  no gateway . . . " or something very similar.

These problems combined tell me that the packets are getting to the NAT,
and mappings are being made, but somehow the packets get sent back out
over the 10.0.0.1 interface and the IP number of the originating machine
(10.0.0.x) gets sent as the return address, which is invalid.  Strangely
enough, when we use FTP on other machines on 208.12.120.x, it works
perfectly, even from 10.x machines.

I think perhaps a route is missing somewhere.  I have a default gateway
set to 208.12.120.209, and a gateway for packets going to 10.x set to
10.0.0.1.  This way packets destined for those machines coming from our
own machines on 208.12.120.x can get to our internal network.  I plan on
filtering out transactions to the internal network arriving from somwhere
other than our own machines.

Is there something I have to do in my normal UNIX configuration to make
sure that packets do the following?


1.  packet from 10.x wants to access IP address on Internet outside our
    site
2.  packet gets sent to 10.0.0.1, ed0 in the bridge machine running
    IPFilter
3.  return IP address gets changed to 208.12.120.211 port y
4.  packet goes out with new return address, on interface ed1 which is
    at 208.12.120.211
5.  Since the address is outside our networks the packet goes through
    gateway 208.12.120.209


[prev in list] [next in list] [prev in thread] [next in thread]