[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: nat problem
From: Steve Clark <sclark () netwolves ! com>
Date: 2009-08-26 16:35:14
Message-ID: 6223_1251304812_4A95656B_6223_244_1_4A956442.5050808 () netwolves ! com
[Download RAW message or body]
Hi Jim,
after rereading #1 I realized it was a null mapping so by doing:
map eth1 from 10.254.1.0/24 to 192.168.0.0/16 -> 0.0.0.0/0
map eth1 from 10.254.1.0/24 to 10.0.0.0/8 -> 0.0.0.0/0
map eth1 from 10.254.1.0/24 to 172.16.0.0/20 -> 0.0.0.0/0
map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32
ipnat seems to do what I need.
Thanks a bunch.
Steve
Jim Klimov wrote:
> This needs a bit more thinking, but yes - in my practice
> too, you can't make many exceptions with "! destination".
> You can have many similar rules like examples 1 and 2.
>
> So you can make many non-nat rules as in example 1, and
> follow these rules by NATing other packets going to a
> specific range of destinations and/or by default as per
> example 2. Might not even need example 3 sometimes.
>
> Steve Clark пишет:
>> Jim Klimov wrote:
>>> > What I need is to be able to specify instead of "any" only routable
>>> > address ranges. Maybe something like:
>>> > map eth1 from 10.254.1.0/24 to range 0.0.0.1 - 9.255.255.255 ->
>>> > 10.0.133.102/32
>>>
>>> Hi, Steve,
>>>
>>> You can use subnet notation, i.e. we have rules like these
>>> on Solaris 8 x86, IPF 4.1.28:
>>>
>>> 1) Don't NAT to a different address (pass packets as is) when
>>> routing to a specific destination subnet (segments of LAN):
>>> map elxl1 from 192.168.129.0/24 to 149.49.64.0/24 -> 0.0.0.0/0
>>> map elxl1 from 192.168.119.0/24 to 192.168.130.0/23 -> 0.0.0.0/0
>>>
>>> 2) Do NAT certain SRCs going to certain DSTs (remote partner's
>>> office over VPN, they don't know of our 192.168.* addresses):
>>> map elxl1 from 192.168.117.0/24 to 10.1.0.0/16 -> 195.66.181.161/32
>>>
>>> 3) Do NAT certain SRCs going to "anywhere except certain DSTs":
>>> map elxl1 from 192.168.129.128/27 ! to 192.168.42.0/24 ->
>>> 195.66.181.113/32
>> The above would work if I could specify multiple "! to destinations". In
>> the specific case
>> we have multiple non routables on the other side of the gre/vpn, like
>> 10.0.0.0 and 172.16.0.0
>> so I don't want anything coming from the private network on this side
>> that is destined to an
>> address on the other side of the gre/vpn to be natted.
>>
>> With linux I can:
>> create a new chain,
>> iptables -t nat -N mychain
>>
>> add rules that either accept or masquerade depending on destination
>> address,
>> iptables -t nat -A mychain -d 10.0.0.0/24 -o eth1 -j ACCEPT
>> iptables -t nat -A mychain -d 192.168.0.0/16 -o eth1 -j ACCEPT
>> iptables -t nat -A mychain -d 172.16.0.0/20 -o eth1 -j ACCEPT
>> iptables -t nat -A mychain -o eth1 -j MASQUERADE
>>
>> send all packets to mychain to decide whether to nat or not.
>> iptables -t nat -A POSTROUTING -o eth1 -j mychain
>>
>> which creates a new chain that all potential packets that are passed to
>> - if it the
>> destination is a private address it is passed to the ACCEPT target so
>> nothing further happens
>> if not it hits the MASQUERADE target and is natted.
>>
>> Hmm... after thinking about it I might not even have to create a new
>> chain, probably could do it
>> in the POSTROUTING chain of the nat table.
>>
>> Thanks,
>> Steve
>>
>>> Hope these live examples help...
>>>
>>> Steve Clark пишет:
>>>> Hi Darren,
>>>>
>>>> I am running into a problem with ipnat on linux when using gre over
>>>> ipsec. I have gre tunnels
>>>> which use non routable address endpoints which are tunneled over
>>>> ipsec to run ospf.
>>>>
>>>> my normal ipnat config looks like this on FreeBSD which works but
>>>> doesn't on linux:
>>>> map eth1 from 10.254.1.0/24 to any port=21 -> 10.0.133.102/32 proxy
>>>> port 21 ftp/tcp
>>>> map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32 portmap tcp/udp
>>>> 40000:60000
>>>> map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32
>>>>
>>>> The problem is in linux the esp encapulation happens last so anything
>>>> going across the gre's is being natted.
>>>>
>>>> What I need is to be able to specify instead of "any" only routable
>>>> address ranges. Maybe something like:
>>>> map eth1 from 10.254.1.0/24 to range 0.0.0.1 - 9.255.255.255 ->
>>>> 10.0.133.102/32
>>>>
>>>> Or am I missing something and there is already a way to do this?
>>>>
>>>> BTW if i remove the map eth1 from 10.254.1.0/24 to any ->
>>>> 10.0.133.102/32
>>>> then my gre's work but I can't ping the internet cause the icmp is
>>>> not mapped.
>>>>
>>>> Thanks for any advice,
>>>> Steve
>>>
>>
>>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic