thr3ads.net - LARTC - ip route nat madness. [Oct 2004]

Петр Волков

2004-Oct-26 09:49 UTC

ip route nat madness.

Hello list.

I may become crazy without your help. I'm not nubie, but...

All worked with 2.4 kernel, but when I have to move to 2.6.8.1 it's not.

I'm using "ip route nat 231.222.222.111 via 172.16.1.13" to substitute
inet address 231.222.222.111 on 172.16.1.13 during routing. Look at the output:
_____________
myhost log # ip route list table local
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
local 172.16.0.1 dev eth1  proto kernel  scope host  src 172.16.0.1
broadcast 172.16.0.0 dev eth1  proto kernel  scope link  src 172.16.0.1
broadcast 231.222.222.111 dev eth0  proto kernel  scope link  src
231.222.222.111
broadcast 231.222.222.111 dev eth0  proto kernel  scope link  src
231.222.222.111
local 231.222.222.111 dev eth0  proto kernel  scope host  src 231.222.222.111
broadcast 172.16.255.255 dev eth1  proto kernel  scope link  src 172.16.0.1
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
nat 231.222.222.111 via 172.16.1.13  scope host
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1

myhost log # ip rule
0:      from all lookup local
323:    from 172.16.1.13 lookup main map-to 231.222.222.111
32766:  from all lookup main
32767:  from all lookup default
_______________________

So I'm trying to translate local address 172.16.1.13 on 231.222.222.111.

And that was working under 2.4 kernel. But now I have to move to 2.6 kernel and
now it's not working.

I've used this commands:
ip route add nat 231.222.222.111 via 172.16.1.13
ip rule add prio 323 from 172.16.1.13 nat 231.222.222.111

!!! To be sure that it is kernel problem I've added this two rules in my FORWARD
chain in the very beginning:
iptables -I FORWARD -s 172.16.1.13 -j LOG
iptables -I FORWARD -d 231.222.222.111 -j LOG

Look I have packets that should not be there:
Oct 27 00:30:04 rcline IN=eth1 OUT=eth0 SRC=172.16.1.13 DST=64.12.161.185 LEN=48
TOS=0x00 PREC=0x00 TTL=127 ID=43039 DF PROTO=TCP SPT=1923 DPT=5190 WINDOW=65535
RES=0x00 SYN URGP=0
Oct 27 00:30:04 rcline IN=eth0 OUT=eth1 SRC=83.102.131.142 DST=231.222.222.111
LEN=84 TOS=0x00 PREC=0x00 TTL=59 ID=2990 DF PROTO=ICMP TYPE=8 CODE=0 ID=22310
SEQ=2991

No substitution of niether destination, nor source adresses!!!

Please help me to make this working. I've tried 2.6.9 kernel, but It seems there
is no
"IP: fast network address translation". Why. Is feature already
deprecated?

Some advices how to solve this problem are very welcome.

Sorry for my bad English, it is not my native language.

Thank you for your reading of this cry for help. If you have any ideas... they
are welcome...

Peter Volkov Alexandrovich

2004-Nov-05 00:22 UTC

link

ip route nat madness.

Hello.

I need your help. The problem is I can not make route nat working with kern=
el=20
2.6 although in 2.4 everthing works perfectly.

If this is the wrong list to ask question about this, please poke me in the=
=20
right one.

So. I have router with two network cards: eth0(192.168.1.10) and eth1
(192.168.2.150). Kernel is 2.6.8.1. In the kernel all options and suboption=
s=20
concerning "IP: advanced router" are enabled. I want to map computer
in=20
192.168.2.0/24 subnet with IP 192.168.2.5 =9Aon 192.168.1.17 in 192.168.1.0=
/24=20
subnet.

I am not an artist but may be this graph can illustrate my situation:

=9A =9A =9A =9A =9A =9A =9A192.168.1.0/24<..... nat =9A....>192.168.2.0/24
<192.168.1.1>-----<192.168.1.10>router<192.168.2.150>-----<192.168.2.5>
=9A =9A =9A =9A =9A =9A =9A =9A =9A =9A =9A =9Aeth0 =9A =9A =9A =9A =9A =9A=
 =9A =9Aeth1 =9A =9A =9A =9A =9A =9Ahost i want
=9A =9A =9A =9A =9A =9A =9A =9A =9A
<192.168.1.17>----------nat------------=
> =9A =9Ato map
=9A =9A =9A =9A =9A =9A =9A =9A =9A dummy address


=9ASo following ip-cref written by Alexey Kuznetsov first of all I issue th=
e=20
command:

nat router # ip route add nat 192.168.1.17 via 192.168.2.5

Now my router answers ARP for 192.168.1.17 and recieves the packets for it.=
=20
Then it ever route them from eth0 to eth1 BUT it does not nat destination i=
p=20
address. Look what one can see using tcpdimp! I ping 172.16.1.17 from=20
192.168.1.1:
nat router # tcpdump -ni eth0
05:49:19.085838 arp who-has 192.168.1.17 tell 192.168.1.1
05:49:19.086938 arp reply 192.168.1.17 is-at 00:0c:29:od:85:04
05:49:19.692799 IP 192.168.1.1 > 192.168.1.17: icmp 64: echo request seq 1

AT the same time on eth1:
nat router # tcpdump -ni eth0
05:49:19.692837 IP 192.168.1.1 > 192.168.1.17: icmp 64: echo request seq 1

My route table is Ok.=20

nat router # ip route
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.250
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.10
127.0.0.0/8 via 127.0.0.1 dev lo scope link

So why the packet that should be DNATed is not and how could packet that=20
should be sent to eth0 sent to eth1?

Is there any other possibility to nat 192.168.2.5 on 192.168.1.17?

The last question what is with "IP: fast network address translation"
in 2.=
6.9=20
kernel? Why it is absent?


Thank you in advance,
_____________
Peter.

P.S. I need your help to find sollution. Otherwise there is a possibility f=
or=20
my employer can dismiss me.

P.P.S. below is also my letter with the same problem. No one answered it.:(
On Tuesday 26 October 2004 20:49, =F0=C5=D4=D2 =F7=CF=CC=CB=CF=D7 =9Awrote:
> All worked with 2.4 kernel, but when I have to move to 2.6.8.1 it's not.
>
> I'm using "ip route nat 231.222.222.111 via 172.16.1.13" to
substitute in=
et
> address 231.222.222.111 on 172.16.1.13 during routing. Look at the output:
> _____________
> myhost log # ip route list table local
> broadcast 127.255.255.255 dev lo =9Aproto kernel =9Ascope link =9Asrc 127=
=2E0.0.1
> local 172.16.0.1 dev eth1 =9Aproto kernel =9Ascope host =9Asrc 172.16.0.1
> broadcast 172.16.0.0 dev eth1 =9Aproto kernel =9Ascope link =9Asrc 172.16=
=2E0.1
> broadcast 231.222.222.111 dev eth0 =9Aproto kernel =9Ascope link =9Asrc
> 231.222.222.111 broadcast 231.222.222.111 dev eth0 =9Aproto kernel =9Asco=
pe
> link =9Asrc 231.222.222.111 local 231.222.222.111 dev eth0 =9Aproto kerne=
l=20
> scope host =9Asrc 231.222.222.111 broadcast 172.16.255.255 dev eth1 =9Apr=
oto
> kernel =9Ascope link =9Asrc 172.16.0.1 broadcast 127.0.0.0 dev lo =9Aprot=
o kernel
> =9Ascope link =9Asrc 127.0.0.1 nat 231.222.222.111 via 172.16.1.13 =9Asco=
pe host
> local 127.0.0.1 dev lo =9Aproto kernel =9Ascope host =9Asrc 127.0.0.1
> local 127.0.0.0/8 dev lo =9Aproto kernel =9Ascope host =9Asrc 127.0.0.1
>
> myhost log # ip rule
> 0: =9A =9A =9Afrom all lookup local
> 323: =9A =9Afrom 172.16.1.13 lookup main map-to 231.222.222.111
> 32766: =9Afrom all lookup main
> 32767: =9Afrom all lookup default
> _______________________
>
> So I'm trying to translate local address 172.16.1.13 on 231.222.222.111.
>
> And that was working under 2.4 kernel. But now I have to move to 2.6 kern=
el
> and now it's not working.
>
> I've used this commands:
> ip route add nat 231.222.222.111 via 172.16.1.13
> ip rule add prio 323 from 172.16.1.13 nat 231.222.222.111
>
> !!! To be sure that it is kernel problem I've added this two rules in my
> FORWARD chain in the very beginning: iptables -I FORWARD -s 172.16.1.13 -j
> LOG
> iptables -I FORWARD -d 231.222.222.111 -j LOG
>
> Look I have packets that should not be there:
> Oct 27 00:30:04 rcline IN=3Deth1 OUT=3Deth0 SRC=3D172.16.1.13 DST=3D64.12=
=2E161.185
> LEN=3D48 TOS=3D0x00 PREC=3D0x00 TTL=3D127 ID=3D43039 DF PROTO=3DTCP SPT=
=3D1923 DPT=3D5190
> WINDOW=3D65535 RES=3D0x00 SYN URGP=3D0 Oct 27 00:30:04 rcline IN=3Deth0 O=
UT=3Deth1
> SRC=3D83.102.131.142 DST=3D231.222.222.111 LEN=3D84 TOS=3D0x00 PREC=3D0x0=
0 TTL=3D59
> ID=3D2990 DF PROTO=3DICMP TYPE=3D8 CODE=3D0 ID=3D22310 SEQ=3D2991
>
> No substitution of niether destination, nor source adresses!!!
>
> Please help me to make this working. I've tried 2.6.9 kernel, but It seems
> there is no "IP: fast network address translation". Why. Is
feature alrea=
dy
> deprecated?

Peter Volkov Alexandrovich

2004-Nov-09 02:09 UTC

link

ip route nat. NEED help.

Hello.

I need your help. The problem is I can not make route nat working with kern=
el=20
2.6 although in 2.4 everthing works perfectly. I forced to have 2.6 kernel =
as=20
I need SATA.

If this is the wrong list to ask question about this, please poke me in the=
=20
right one.

So. I have router with two network cards: eth0(192.168.1.10) and eth1
(192.168.2.150). Kernel is 2.6.8.1. In the kernel all options and suboption=
s=20
concerning "IP: advanced router" are enabled. I want to map computer
in=20
192.168.2.0/24 subnet with IP 192.168.2.5 =9Aon 192.168.1.17 in 192.168.1.0=
/24=20
subnet.

I am not an artist but may be this graph can illustrate my situation:

=9A =9A =9A =9A =9A =9A =9A192.168.1.0/24<..... nat =9A....>192.168.2.0/24
<192.168.1.1>-----<192.168.1.10>router<192.168.2.150>-----<192.168.2.5>
=9A =9A =9A =9A =9A =9A =9A =9A =9A =9A =9A =9Aeth0 =9A =9A =9A =9A =9A =9A=
 =9A =9Aeth1 =9A =9A =9A =9A =9A =9Ahost i want
=9A =9A =9A =9A =9A =9A =9A =9A =9A
<192.168.1.17>----------nat------------=
> =9A =9Ato map
=9A =9A =9A =9A =9A =9A =9A =9A =9A dummy address

=9ASo following ip-cref written by Alexey Kuznetsov first of all I issue th=
e=20
command:

nat router # ip route add nat 192.168.1.17 via 192.168.2.5

Now my router answers ARP for 192.168.1.17 and recieves the packets for it.=
=20
Then it ever route them from eth0 to eth1 BUT it does not nat destination i=
p=20
address. Look what one can see using tcpdimp! I ping 172.16.1.17 from=20
192.168.1.1:
nat router # tcpdump -ni eth0
05:49:19.085838 arp who-has 192.168.1.17 tell 192.168.1.1
05:49:19.086938 arp reply 192.168.1.17 is-at 00:0c:29:od:85:04
05:49:19.692799 IP 192.168.1.1 > 192.168.1.17: icmp 64: echo request seq 1

AT the same time on eth1:
nat router # tcpdump -ni eth0
05:49:19.692837 IP 192.168.1.1 > 192.168.1.17: icmp 64: echo request seq 1

My route table is Ok.=20

nat router # ip route
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.250
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.10
127.0.0.0/8 via 127.0.0.1 dev lo scope link

So why the packet that should be DNATed is not and how could packet that=20
should be sent to eth0 sent to eth1?

Is there any other possibility to nat 192.168.2.5 on 192.168.1.17?

The last question what is with "IP: fast network address translation"
in 2.=
6.9=20
kernel? Why it is absent?

Thank you in advance,
_____________
Peter.

P.S. I need your help to find sollution. Otherwise there is a possibility f=
or=20
my employer can dismiss me.

P.P.S. below is also my letter with the same problem. No one answered it.:(

On Tuesday 26 October 2004 20:49, =F0=C5=D4=D2 =F7=CF=CC=CB=CF=D7 =9Awrote:
> All worked with 2.4 kernel, but when I have to move to 2.6.8.1 it's not.
>
> I'm using "ip route nat 231.222.222.111 via 172.16.1.13" to
substitute in=
et
> address 231.222.222.111 on 172.16.1.13 during routing. Look at the output:
> _____________
> myhost log # ip route list table local
> broadcast 127.255.255.255 dev lo =9Aproto kernel =9Ascope link =9Asrc 127=
=2E0.0.1
> local 172.16.0.1 dev eth1 =9Aproto kernel =9Ascope host =9Asrc 172.16.0.1
> broadcast 172.16.0.0 dev eth1 =9Aproto kernel =9Ascope link =9Asrc 172.16=
=2E0.1
> broadcast 231.222.222.111 dev eth0 =9Aproto kernel =9Ascope link =9Asrc
> 231.222.222.111 broadcast 231.222.222.111 dev eth0 =9Aproto kernel =9Asco=
pe
> link =9Asrc 231.222.222.111 local 231.222.222.111 dev eth0 =9Aproto kerne=
l=20
> scope host =9Asrc 231.222.222.111 broadcast 172.16.255.255 dev eth1 =9Apr=
oto
> kernel =9Ascope link =9Asrc 172.16.0.1 broadcast 127.0.0.0 dev lo =9Aprot=
o kernel
> =9Ascope link =9Asrc 127.0.0.1 nat 231.222.222.111 via 172.16.1.13 =9Asco=
pe host
> local 127.0.0.1 dev lo =9Aproto kernel =9Ascope host =9Asrc 127.0.0.1
> local 127.0.0.0/8 dev lo =9Aproto kernel =9Ascope host =9Asrc 127.0.0.1
>
> myhost log # ip rule
> 0: =9A =9A =9Afrom all lookup local
> 323: =9A =9Afrom 172.16.1.13 lookup main map-to 231.222.222.111
> 32766: =9Afrom all lookup main
> 32767: =9Afrom all lookup default
> _______________________
>
> So I'm trying to translate local address 172.16.1.13 on 231.222.222.111.
>
> And that was working under 2.4 kernel. But now I have to move to 2.6 kern=
el
> and now it's not working.
>
> I've used this commands:
> ip route add nat 231.222.222.111 via 172.16.1.13
> ip rule add prio 323 from 172.16.1.13 nat 231.222.222.111
>
> !!! To be sure that it is kernel problem I've added this two rules in my
> FORWARD chain in the very beginning: iptables -I FORWARD -s 172.16.1.13 -j
> LOG
> iptables -I FORWARD -d 231.222.222.111 -j LOG
>
> Look I have packets that should not be there:
> Oct 27 00:30:04 rcline IN=3Deth1 OUT=3Deth0 SRC=3D172.16.1.13 DST=3D64.12=
=2E161.185
> LEN=3D48 TOS=3D0x00 PREC=3D0x00 TTL=3D127 ID=3D43039 DF PROTO=3DTCP SPT=
=3D1923 DPT=3D5190
> WINDOW=3D65535 RES=3D0x00 SYN URGP=3D0 Oct 27 00:30:04 rcline IN=3Deth0 O=
UT=3Deth1
> SRC=3D83.102.131.142 DST=3D231.222.222.111 LEN=3D84 TOS=3D0x00 PREC=3D0x0=
0 TTL=3D59
> ID=3D2990 DF PROTO=3DICMP TYPE=3D8 CODE=3D0 ID=3D22310 SEQ=3D2991
>
> No substitution of niether destination, nor source adresses!!!
>
> Please help me to make this working. I've tried 2.6.9 kernel, but It seems
> there is no "IP: fast network address translation". Why. Is
feature alrea=
dy
> deprecated?