snat not working my local ip is aaa.aaa.aaa.aaa asterisk sitting on the internet at ip bbb.bbb.bbb.bbb my firewall''s internal ip is 192.168.0.254 i did snat: iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to aaa.aaa.aaa iptables -t nat -L -v gives: Chain POSTROUTING (policy ACCEPT 23663 packets, 2182K bytes) pkts bytes target prot opt in out source destination 33056 2084K SNAT all -- any ppp0 anywhere anywhere to:aaa.aaa.aaa.aaa but tcpdump both on ppp0 and on remote bbb.bbb.bbb.bbb gives: 10:35:27.564611 IP 192.168.0.254.5070 > bbb.bbb.bbb.bbb.5060: UDP, length 489 so snat is not working any idea ?
On Tue, 14 Mar 2006 12:18:57 +0200 "Erez D" <erez0001@gmail.com> wrote:> snat not workingYes it is. Not the way you want, but it is!!> > my local ip is aaa.aaa.aaa.aaa > asterisk sitting on the internet at ip bbb.bbb.bbb.bbb > my firewall''s internal ip is 192.168.0.254> > i did snat: > > iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to aaa.aaa.aaaYou must SNAT wit the EXTERNAL IP of you router not the internal one to achieve the effect you want. And since you are unsing ppp, I advise you to use MASQUERADE instead SNAT. Regards -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \
well. i ment the ip i got from my isp is aaa.aaa.aaa.aaa, not the local net one, sorry i do not use MASQ. as this did not function well before, and the faq said to preffer SNAT i have 2 outgoing internet connections, one via pptp (ppp0), one via router (eth1) i also got a local network - eth0 eth1 is 10.0.0.2 connectod to a router which is 10.0.0.1 ppp0 is aaa.aaa.aaa.aaa ptp to ccc.ccc.ccc.ccc eth0 is 192.168.0.254/24 thanks erez. On 3/14/06, Ethy H. Brito <ethy.brito@inexo.com.br> wrote:> On Tue, 14 Mar 2006 12:18:57 +0200 > "Erez D" <erez0001@gmail.com> wrote: > > > snat not working > > Yes it is. Not the way you want, but it is!! > > > > > my local ip is aaa.aaa.aaa.aaa > > asterisk sitting on the internet at ip bbb.bbb.bbb.bbb > > my firewall''s internal ip is 192.168.0.254 > > > > > i did snat: > > > > iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to aaa.aaa.aaa > > > You must SNAT wit the EXTERNAL IP of you router not the internal one to achieve > the effect you want. > > And since you are unsing ppp, I advise you to use MASQUERADE instead SNAT. > > Regards > > -- > > Ethy H. Brito /"\ > InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML > +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL > S.J.Campos - Brasil / \ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >
this is a udp datagram which originate from one of the computers in my local lan, not the firewall however, the SNAT is on the POSTROUTING table which means (as far as i know) that it is also applied to packets originating from the firewall ( i.e. the packets from the OUTPUT chain travel to the POSTROUTNING chain) pls. correct me if i''m wrong. thanks, erez. On 3/14/06, Ilya Konstantinov <linux-il@future.shiny.co.il> wrote:> Where are you pinging from? Be aware that locally-generated packets > (e.g. pinging from the firewall) don''t pass the NAT tables. > > Erez D wrote: > > > but tcpdump both on ppp0 and on remote bbb.bbb.bbb.bbb gives: > > > > > > 10:35:27.564611 IP 192.168.0.254.5070 > bbb.bbb.bbb.bbb.5060: UDP, length 489 > > > > so snat is not working > > > >
On Tue, 14 Mar 2006 14:00:23 +0200 "Erez D" <erez0001@gmail.com> wrote:> well. i ment the ip i got from my isp is aaa.aaa.aaa.aaa, not the > local net one, sorry > > i do not use MASQ. as this did not function well before, and the faq > said to preffer SNATWould point me this FAQ? AFAIK SNAT is to be used on fixed IP and MASQUERADE on dynamic (like ppp''s) IP''s. I woulb like to know if my knowleage is wrong.> i have 2 outgoing internet connections, one via pptp (ppp0), one via > router (eth1) > i also got a local network - eth0 > > eth1 is 10.0.0.2 connectod to a router which is 10.0.0.1This one must be NAT''ed somewhere downstream by you ISP.> ppp0 is aaa.aaa.aaa.aaa ptp to ccc.ccc.ccc.ccc > eth0 is 192.168.0.254/24Note that your streams are going out using 192.168.0.254 as source IP and not the IPs of your internal machines. Therefore NAT is working. And also, outgoing via two routers is a tricky thing to put to work. There are some docs aronud about this subject. Regards -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \
On 3/14/06, Ethy H. Brito <ethy.brito@inexo.com.br> wrote:> On Tue, 14 Mar 2006 14:00:23 +0200 > "Erez D" <erez0001@gmail.com> wrote: > > > well. i ment the ip i got from my isp is aaa.aaa.aaa.aaa, not the > > local net one, sorry > > > > i do not use MASQ. as this did not function well before, and the faq > > said to preffer SNAT > > Would point me this FAQ? > AFAIK SNAT is to be used on fixed IP and MASQUERADE on dynamic (like ppp''s) IP''s. > I woulb like to know if my knowleage is wrong.i read this faq long time ago so i can not supply a link all my ips are static (internal and external).> > > i have 2 outgoing internet connections, one via pptp (ppp0), one via > > router (eth1) > > i also got a local network - eth0 > > > > eth1 is 10.0.0.2 connectod to a router which is 10.0.0.1 > > This one must be NAT''ed somewhere downstream by you ISP.the router on 10.0.0.1 does the nat> > > ppp0 is aaa.aaa.aaa.aaa ptp to ccc.ccc.ccc.ccc > > eth0 is 192.168.0.254/24 > > Note that your streams are going out using 192.168.0.254 as source IP and not > the IPs of your internal machines. Therefore NAT is working.this is my fault, i copy and pasted different lines the original tcpdump output was: IP 192.168.0.20.5070 > bbb.bbb.bbb.bbb.5060> > And also, outgoing via two routers is a tricky thing to put to work. > There are some docs aronud about this subject.yeah, i tried them all, including patching the kernel with some suggested patches, but never got load balancing to work, so gave it up long time ago. at the end, i put default route on one interface, and selected manually what will go via the other via fwmark and/or source routing and/or standard routing (i.e. dest routing) thanks, erez.> > Regards > > -- > > Ethy H. Brito /"\ > InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML > +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL > S.J.Campos - Brasil / \ >
On Tue, 2006-03-14 at 16:11 +0200, Erez D wrote:> > > > i do not use MASQ. as this did not function well before, and the faq > > > said to preffer SNAT > > > > Would point me this FAQ? > > AFAIK SNAT is to be used on fixed IP and MASQUERADE on dynamic (like ppp''s) IP''s. > > I woulb like to know if my knowleage is wrong. > > i read this faq long time ago so i can not supply a link > all my ips are static (internal and external).Same difference either way with masquerade. I use both, but typically masquerade for dynamic stuff. So I do not have to deal with finding out the ip, modifying rules, etc. If you find the link or etc on using snat instead of masquerade. I would like to research it.> > And also, outgoing via two routers is a tricky thing to put to work. > > There are some docs aronud about this subject.Not to bad, I did it in the past with 2 SDSL routers, load balanced, redundant. I am doing it again now but no load balancing. Just two ISP''s multiple lans. Still got some weird ARP and DHCP issues. Thus being back on the list, but those are for another thread.> yeah, i tried them all, including patching the kernel with some > suggested patches, but never got load balancing to work, so gave it up > long time ago.Load balancing is a tricky thing. Has to be done from the outside in by DNS round robin. From the inside out via multipath gateways and etc. Not sure if it''s still current and or valid. I could not find the patches from yester year. But along with Julian''s dead gateway patches. Were patches for nat and multipath. But in a nut shell, the Linux box must be doing nat. Without nat, no go on load balancing. I used to do two rounds of nat/pat. One on the routers, then again on the Linux box.> at the end, i put default route on one interface, and selected > manually what will go via the other via fwmark and/or source routing > and/or standard routing (i.e. dest routing)So far I have not had to use fwmark or other means to classify packets or etc. Doing it based on sources atm. Working fine for the most part. A few quirks but no show stoppers or major issues. -- Sincerely, William L. Thomson Jr. Obsidian-Studios, Inc. http://www.obsidian-studios.com
On Tue, 2006-03-14 at 17:49 +0200, Erez D wrote:> > coming to think of it, only one outgoing link was nat. could this be > the problem ?Very possible. I know it was a requirement of the time. Very well could be what''s holding you back from load balancing.> source routing work well > i wanted to connect all my company to link1 (default) > internet via the other link - redirected all web to a proxy on the link2 network > > however, i wanted one computer to go via link2 (source routing) > and all my sip traffic also via link2 (mark them via iptables, then use fwmark)Ah so a particular service period on any net, interface you want to use a particular link. Make sense.> the actual problem i reffer to is sip traffic : my SIP box > (192.168.0.20) connects to my > home computer via the internet. > on the way, my company''s firewall marks the packet with fwmark > and ''ip rule'' routes all packets with this fwmark to table2 > table2 has a default route via link2 isp. > > also the POSTROUTING chain has a SNAT rule on ppp0 which is link2'' interface > > but the packet outgoing via ppp0 has 192.168.0.20 as source ip > other packets travaersing via ppp0 - for them snat works. > > so it is somthing to do with ip rule and soNot sure I am clear with the problem, but rules are traversed in order. So if your source rule is before your fwmark rule, it''s going to use the one before the other. But pretty sure I am missing the problem. -- Sincerely, William L. Thomson Jr. Obsidian-Studios, Inc. http://www.obsidian-studios.com
On 3/14/06, William L. Thomson Jr. <wlt@obsidian-studios.com> wrote:> On Tue, 2006-03-14 at 17:49 +0200, Erez D wrote: > > > > coming to think of it, only one outgoing link was nat. could this be > > the problem ? > > Very possible. I know it was a requirement of the time. Very well could > be what''s holding you back from load balancing. > > > source routing work well > > i wanted to connect all my company to link1 (default) > > internet via the other link - redirected all web to a proxy on the link2 network > > > > however, i wanted one computer to go via link2 (source routing) > > and all my sip traffic also via link2 (mark them via iptables, then use fwmark) > > Ah so a particular service period on any net, interface you want to use > a particular link. Make sense. > > > the actual problem i reffer to is sip traffic : my SIP box > > (192.168.0.20) connects to my > > home computer via the internet. > > on the way, my company''s firewall marks the packet with fwmark > > and ''ip rule'' routes all packets with this fwmark to table2 > > table2 has a default route via link2 isp. > > > > also the POSTROUTING chain has a SNAT rule on ppp0 which is link2'' interface > > > > but the packet outgoing via ppp0 has 192.168.0.20 as source ip > > other packets travaersing via ppp0 - for them snat works. > > > > so it is somthing to do with ip rule and so > > Not sure I am clear with the problem, but rules are traversed in order. > So if your source rule is before your fwmark rule, it''s going to use the > one before the other. But pretty sure I am missing the problem. >the fwmark rule is on the PREROUTING chain the SNAT is on the POSTROUTING so the order is ok. the problem is: all trafic that travarse lan -> eth0 -> ppp0 -> internet : should change the source ip when outoing from ppp0 to the internet, and so it does but, sipbox -> lan -> eth0 -> ppp0 -> internet : the outoing packets from ppp0 has the ip 192.168.0.20 which is the ip of my sipbox instead of my internet ip which is specified in the SNAT rule the difference is that the all the traffic outgoing via ppp0 is because of source nat except the sipbox which is going via fwmark iptables: iptables -t mangle -A PREROUTING -s 192.168.0.20 -p udp --sport $SIPPORT -j MARK --set-mark 0x990 iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to $my_link2_ip ip rule: 10: from all lookup local 20: from 192.168.0.10 lookup isp2 30: from all fwmark 0x990 lookup isp2 40: from all lookup main 50: from all lookup default prio 20 works well (SNAT is activated) prio 30 does not work (routing is ok, SNAT not activated) thanks, erez.> -- > Sincerely, > William L. Thomson Jr. > Obsidian-Studios, Inc. > http://www.obsidian-studios.com > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >
Ok, On Tue, 2006-03-14 at 18:15 +0200, Erez D wrote:> > but, sipbox -> lan -> eth0 -> ppp0 -> internet : > the outoing packets from ppp0 has the ip 192.168.0.20 which is the ip > of my sipbox > > iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to $my_link2_ipSo when traffic leaves the ppp0 interface from 192.168.0.20, it is not being snat''ted to $my_link2_ip.> 10: from all lookup local > 20: from 192.168.0.10 lookup isp2 > 30: from all fwmark 0x990 lookup isp2 > 40: from all lookup main > 50: from all lookup default > > prio 20 works well (SNAT is activated) > prio 30 does not work (routing is ok, SNAT not activated)Now if 30 works that means it is being sent to ppp0. In that case I think it would be worth while to try. iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.20 -j SNAT --to $my_link2_ip or even iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j SNAT --to $my_link2_ip and despite what you might have come across, try iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.20 -j MASQUERADE or iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE You might need a rule like that in conjunction with the other. Putting these before the other. Might even have to add something for the mark as well or in place of a source ip. Otherwise interesting it''s being routed out the correct interface without snat. Could also be if it''s not hitting he 30 rule, and ppp0 is set as a default gateway in another rule like main or default. That would make more sense than iptables not doing it''s job? -- Sincerely, William L. Thomson Jr. Obsidian-Studios, Inc. http://www.obsidian-studios.com