'Re: nat problem'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: nat problem
From:       Steve Clark <sclark () netwolves ! com>
Date:       2009-08-26 16:35:14
Message-ID: 6223_1251304812_4A95656B_6223_244_1_4A956442.5050808 () netwolves ! com
[Download RAW message or body]

Hi Jim,

after rereading #1 I realized it was a null mapping so by doing:

map eth1 from 10.254.1.0/24 to 192.168.0.0/16 -> 0.0.0.0/0
map eth1 from 10.254.1.0/24 to 10.0.0.0/8 -> 0.0.0.0/0
map eth1 from 10.254.1.0/24 to 172.16.0.0/20 -> 0.0.0.0/0
map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32

ipnat seems to do what I need.

Thanks a bunch.
Steve

Jim Klimov wrote:
> This needs a bit more thinking, but yes - in my practice
> too, you can't make many exceptions with "! destination".
> You can have many similar rules like examples 1 and 2.
> 
> So you can make many non-nat rules as in example 1, and
> follow these rules by NATing other packets going to a
> specific range of destinations and/or by default as per
> example 2. Might not even need example 3 sometimes.
> 
> Steve Clark пишет:
>> Jim Klimov wrote:
>>>  > What I need is to be able to specify instead of "any" only routable
>>>  > address ranges. Maybe something like:
>>>  > map eth1 from 10.254.1.0/24 to range 0.0.0.1 - 9.255.255.255 ->
>>>  > 10.0.133.102/32
>>>
>>> Hi, Steve,
>>>
>>>    You can use subnet notation, i.e. we have rules like these
>>> on Solaris 8 x86, IPF 4.1.28:
>>>
>>> 1) Don't NAT to a different address (pass packets as is) when
>>> routing to a specific destination subnet (segments of LAN):
>>> map elxl1 from 192.168.129.0/24 to 149.49.64.0/24 -> 0.0.0.0/0
>>> map elxl1 from 192.168.119.0/24 to 192.168.130.0/23 -> 0.0.0.0/0
>>>
>>> 2) Do NAT certain SRCs going to certain DSTs (remote partner's
>>> office over VPN, they don't know of our 192.168.* addresses):
>>> map elxl1 from 192.168.117.0/24 to 10.1.0.0/16 -> 195.66.181.161/32
>>>
>>> 3) Do NAT certain SRCs going to "anywhere except certain DSTs":
>>> map elxl1 from 192.168.129.128/27 ! to 192.168.42.0/24 -> 
>>> 195.66.181.113/32
>> The above would work if I could specify multiple "! to destinations". In 
>> the specific case
>> we have multiple non routables on the other side of the gre/vpn, like 
>> 10.0.0.0 and 172.16.0.0
>> so I don't want anything coming from the private network on this side 
>> that is destined to an
>> address on the other side of the gre/vpn to be natted.
>>
>> With linux I can:
>> create a new chain,
>> iptables -t nat -N mychain
>>
>> add rules that either accept or masquerade depending on destination 
>> address,
>> iptables -t nat -A mychain -d 10.0.0.0/24 -o eth1 -j ACCEPT
>> iptables -t nat -A mychain -d 192.168.0.0/16 -o eth1 -j ACCEPT
>> iptables -t nat -A mychain -d 172.16.0.0/20 -o eth1 -j ACCEPT
>> iptables -t nat -A mychain -o eth1 -j MASQUERADE
>>
>> send all packets to mychain to decide whether to nat or not.
>> iptables -t nat -A POSTROUTING  -o eth1 -j mychain
>>
>> which creates a new chain that all potential packets that are passed to 
>> - if it the
>> destination is a private address it is passed to the ACCEPT target so 
>> nothing further happens
>> if not it hits the MASQUERADE target and is natted.
>>
>> Hmm... after thinking about it I might not even have to create a new 
>> chain, probably could do it
>> in the POSTROUTING chain of the nat table.
>>
>> Thanks,
>> Steve
>>
>>> Hope these live examples help...
>>>
>>> Steve Clark пишет:
>>>> Hi Darren,
>>>>
>>>> I am running into a problem with ipnat on linux when using gre over 
>>>> ipsec. I have gre tunnels
>>>> which use non routable address endpoints which are tunneled over 
>>>> ipsec to run ospf.
>>>>
>>>> my normal ipnat config looks like this on FreeBSD which works but 
>>>> doesn't on linux:
>>>> map eth1 from 10.254.1.0/24 to any port=21 -> 10.0.133.102/32 proxy 
>>>> port 21 ftp/tcp
>>>> map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32 portmap tcp/udp 
>>>> 40000:60000
>>>> map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32
>>>>
>>>> The problem is in linux the esp encapulation happens last so anything 
>>>> going across the gre's is being natted.
>>>>
>>>> What I need is to be able to specify instead of "any" only routable 
>>>> address ranges. Maybe something like:
>>>> map eth1 from 10.254.1.0/24 to range 0.0.0.1 - 9.255.255.255 -> 
>>>> 10.0.133.102/32
>>>>
>>>> Or am I missing something and there is already a way to do this?
>>>>
>>>> BTW if i remove the map eth1 from 10.254.1.0/24 to any -> 
>>>> 10.0.133.102/32
>>>> then my gre's work but I can't ping the internet cause the icmp is 
>>>> not mapped.
>>>>
>>>> Thanks for any advice,
>>>> Steve
>>>
>>
>>
> 
> 



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic