[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: nat problem
From:       Steve Clark <sclark () netwolves ! com>
Date:       2009-11-19 12:07:23
Message-ID: 23308_1258632715_4B05360A_23308_4476_1_4B0534FB.805 () netwolves ! com
[Download RAW message or body]

On 11/19/2009 03:30 AM, Darren Reed wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Steve Clark wrote:
> | Hi Darren,
> |
> | I am running into a problem with ipnat on linux when using gre over
> ipsec. I have gre tunnels
> | which use non routable address endpoints which are tunneled over ipsec
> to run ospf.
> |
> | my normal ipnat config looks like this on FreeBSD which works but
> doesn't on linux:
> | map eth1 from 10.254.1.0/24 to any port=21 ->  10.0.133.102/32 proxy
> port 21 ftp/tcp
> | map eth1 from 10.254.1.0/24 to any ->  10.0.133.102/32 portmap tcp/udp
> 40000:60000
> | map eth1 from 10.254.1.0/24 to any ->  10.0.133.102/32
> |
> | The problem is in linux the esp encapulation happens last so anything
> going across the gre's is being natted.
> |
> | What I need is to be able to specify instead of "any" only routable
> address ranges. Maybe something like:
> | map eth1 from 10.254.1.0/24 to range 0.0.0.1 - 9.255.255.255 ->
> 10.0.133.102/32
> |
> | Or am I missing something and there is already a way to do this?
> |
> | BTW if i remove the map eth1 from 10.254.1.0/24 to any ->  10.0.133.102/32
> | then my gre's work but I can't ping the internet cause the icmp is not
> mapped.
>
> Using 4.1, the way to do this would be:
>
> map eth1 from 10.254.1.0/24 to 0.0.0.0/8 ->  10.0.133.102/32
> map eth1 from 10.254.1.0/24 to 1.0.0.0/8 ->  10.0.133.102/32
> map eth1 from 10.254.1.0/24 to 2.0.0.0/8 ->  10.0.133.102/32
> map eth1 from 10.254.1.0/24 to 3.0.0.0/8 ->  10.0.133.102/32
> map eth1 from 10.254.1.0/24 to 4.0.0.0/8 ->  10.0.133.102/32
> map eth1 from 10.254.1.0/24 to 5.0.0.0/8 ->  10.0.133.102/32
> map eth1 from 10.254.1.0/24 to 6.0.0.0/8 ->  10.0.133.102/32
> map eth1 from 10.254.1.0/24 to 7.0.0.0/8 ->  10.0.133.102/32
> map eth1 from 10.254.1.0/24 to 8.0.0.0/8 ->  10.0.133.102/32
> map eth1 from 10.254.1.0/24 to 9.0.0.0/8 ->  10.0.133.102/32
>
> With 5.x and beyond, you would do:
>
> map eth1 from 10.254.1.0/24 to pool/100 ->  10.0.133.102/32
>
> .. and to put the above networks in pool 100.
>
> .. or am I missing something here?
>
> Darren
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAksFAhUACgkQP7JIXtvLbFVbvACgqIaCeRTK03YZcqD2eAGQVLY2
> NHIAn0+r4uHiyvwE9/pTVgdt8PbRMnCz
> =ZNrf
> -----END PGP SIGNATURE-----
>
Hi Darren,

Thanks for the response, I found that doing:

map eth1 from 10.254.1.0/24 to 192.168.0.0/16 -> 0.0.0.0/0
map eth1 from 10.254.1.0/24 to 10.0.0.0/8 -> 0.0.0.0/0
map eth1 from 10.254.1.0/24 to 172.16.0.0/20 -> 0.0.0.0/0
map eth1 from 10.254.1.0/24 to any -> 10.0.133.102/32

seems to do what I need.

Regards,
Steve




[prev in list] [next in list] [prev in thread] [next in thread]