LARTC - Feb 2004 - 2 providers & DNAT: incoming packets not forwarded

Hi,

I have a problem with incoming connections on my Linux gateway.
I have 2 providers, cable modem on eth1 and dsl on eth2 <-> ppp0 
(pppoe). The lan network is connected to eth0. At the moment, I have a 
very simple configuration where the default route is via eth1 (cable 
modem). I set up DNAT on ppp0 to forward incoming traffic for certain 
ports to a computer behind the gateway/firewall:
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j DNAT 
--to-destination 172.16.1.4
Packets get lost and never reach the FORWARD chain (I logged all packets 
to be sure)

Here are my routes:

# ip route ls
215.136.169.1 dev ppp0  proto kernel  scope link  src 215.136.169.15
135.165.199.128/25 dev eth1  proto kernel  scope link  src 135.165.199.139
172.16.0.0/16 dev eth0  proto kernel  scope link  src 172.16.1.1
default via 135.165.199.129 dev eth1

So, I understand traffic by default goes via eth1, but why don''t 
incoming packets redirected (DNATed) to an intranet IP address go out 
via eth0?
If I change my default route in table main to go via ppp0, then, it 
works. And DNATing on eth1 works with the current configuration.

I don''t have any other routing tables nor complex routing rules:
# ip rule ls
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

I am running kernel 2.4.23 with Julian''s patches.

Any help would be greatly appreciated. Thank you.

Raph


-- 

Raphael Benedet
3D Artists - raph.com
"bringing art into the third dimension"

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi!
May be you need to set /proc/sys/net/ipv4/ip_forward sysctl value to 1?

Best regards,
Alexander A. Naumov

On Thu, Feb 19, 2004 at 03:45:06PM +0100, Raphael Benedet
wrote:
> Hi,
> 
> I have a problem with incoming connections on my Linux gateway.
> I have 2 providers, cable modem on eth1 and dsl on eth2 <-> ppp0 
> (pppoe). The lan network is connected to eth0. At the moment, I have a 
> very simple configuration where the default route is via eth1 (cable 
> modem). I set up DNAT on ppp0 to forward incoming traffic for certain 
> ports to a computer behind the gateway/firewall:
> iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j DNAT 
> --to-destination 172.16.1.4
> Packets get lost and never reach the FORWARD chain (I logged all packets 
> to be sure)
> 
> Here are my routes:
> 
> # ip route ls
> 215.136.169.1 dev ppp0  proto kernel  scope link  src 215.136.169.15
> 135.165.199.128/25 dev eth1  proto kernel  scope link  src 135.165.199.139
> 172.16.0.0/16 dev eth0  proto kernel  scope link  src 172.16.1.1
> default via 135.165.199.129 dev eth1
> 
> So, I understand traffic by default goes via eth1, but why don''t 
> incoming packets redirected (DNATed) to an intranet IP address go out 
> via eth0?
> If I change my default route in table main to go via ppp0, then, it 
> works. And DNATing on eth1 works with the current configuration.
> 
> I don''t have any other routing tables nor complex routing rules:
> # ip rule ls
> 0:      from all lookup local
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> I am running kernel 2.4.23 with Julian''s patches.
> 
> Any help would be greatly appreciated. Thank you.
> 
> Raph
> 
> 
> -- 
> 
> Raphael Benedet
> 3D Artists - raph.com
> "bringing art into the third dimension"
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi,

It is of course set to 1.

I already have DNATing on eth1 and it works very well.
I suppose my problem come from my routing table but I don''t understand 
why no route is found to 172.16.1.4 coming from ppp0 with the current 
configuration.

Regards,

Raph

Alexander A. Naumov wrote:
> Hi!
> May be you need to set /proc/sys/net/ipv4/ip_forward sysctl value to 1?
> 
> Best regards,
> Alexander A. Naumov
> 
> On Thu, Feb 19, 2004 at 03:45:06PM +0100, Raphael Benedet wrote:
> 
>>Hi,
>>
>>I have a problem with incoming connections on my Linux gateway.
>>I have 2 providers, cable modem on eth1 and dsl on eth2 <-> ppp0 
>>(pppoe). The lan network is connected to eth0. At the moment, I have a 
>>very simple configuration where the default route is via eth1 (cable 
>>modem). I set up DNAT on ppp0 to forward incoming traffic for certain 
>>ports to a computer behind the gateway/firewall:
>>iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j DNAT
>>--to-destination 172.16.1.4
>>Packets get lost and never reach the FORWARD chain (I logged all packets
>>to be sure)
>>
>>Here are my routes:
>>
>># ip route ls
>>215.136.169.1 dev ppp0  proto kernel  scope link  src 215.136.169.15
>>135.165.199.128/25 dev eth1  proto kernel  scope link  src
135.165.199.139
>>172.16.0.0/16 dev eth0  proto kernel  scope link  src 172.16.1.1
>>default via 135.165.199.129 dev eth1
>>
>>So, I understand traffic by default goes via eth1, but why
don''t
>>incoming packets redirected (DNATed) to an intranet IP address go out 
>>via eth0?
>>If I change my default route in table main to go via ppp0, then, it 
>>works. And DNATing on eth1 works with the current configuration.
>>
>>I don''t have any other routing tables nor complex routing
rules:
>># ip rule ls
>>0:      from all lookup local
>>32766:  from all lookup main
>>32767:  from all lookup default
>>
>>I am running kernel 2.4.23 with Julian''s patches.
>>
>>Any help would be greatly appreciated. Thank you.
>>
>>Raph
>>
>>
>>-- 
>>
>>Raphael Benedet
>>3D Artists - raph.com
>>"bringing art into the third dimension"
>>
>>_______________________________________________
>>LARTC mailing list / LARTC@mailman.ds9a.nl
>>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 
> 
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#cccccc" text="#000000">
If you have default policy in forward chain to DROP you must permit
those packets to pass.<br>
<pre class="moz-signature" cols="90">Razvan Stranschi
<a class="moz-txt-link-abbreviated"
href="mailto:razvan@arvo.ro">razvan@arvo.ro</a>
</pre>
<br>
<br>
Raphael Benedet wrote:
<blockquote cite="mid4034CBF2.50104@raph.com"
type="cite">Hi,
  <br>
  <br>
I have a problem with incoming connections on my Linux gateway.
  <br>
I have 2 providers, cable modem on eth1 and dsl on eth2 &lt;-&gt; ppp0
(pppoe). The lan network is connected to eth0. At the moment, I have a
very simple configuration where the default route is via eth1 (cable
modem). I set up DNAT on ppp0 to forward incoming traffic for certain
ports to a computer behind the gateway/firewall:
  <br>
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j
DNAT --to-destination 172.16.1.4
  <br>
Packets get lost and never reach the FORWARD chain (I logged all
packets to be sure)
  <br>
  <br>
Here are my routes:
  <br>
  <br>
# ip route ls
  <br>
215.136.169.1 dev ppp0&nbsp; proto kernel&nbsp; scope link&nbsp; src
215.136.169.15
  <br>
135.165.199.128/25 dev eth1&nbsp; proto kernel&nbsp; scope
link&nbsp; src
135.165.199.139
  <br>
172.16.0.0/16 dev eth0&nbsp; proto kernel&nbsp; scope link&nbsp; src
172.16.1.1
  <br>
default via 135.165.199.129 dev eth1
  <br>
  <br>
So, I understand traffic by default goes via eth1, but why don''t
incoming packets redirected (DNATed) to an intranet IP address go out
via eth0?
  <br>
If I change my default route in table main to go via ppp0, then, it
works. And DNATing on eth1 works with the current configuration.
  <br>
  <br>
I don''t have any other routing tables nor complex routing rules:
  <br>
# ip rule ls
  <br>
0:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; from all lookup local
  <br>
32766:&nbsp; from all lookup main
  <br>
32767:&nbsp; from all lookup default
  <br>
  <br>
I am running kernel 2.4.23 with Julian''s patches.
  <br>
  <br>
Any help would be greatly appreciated. Thank you.
  <br>
  <br>
Raph
  <br>
  <br>
  <br>
</blockquote>
</body>
</html>
---------------------------------------
This e-mail was scanned for viruses by ARVO.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi,

I have all the rules needed to accept packets in the FORWARD chain. DNAT 
on eth1 works very well, I see the packets in the PREROUTING chain, 
DNATed, in the FORWARD chain and then going out via the intranet 
interface eth0 (traced with tcpdump). But I don''t manage to have DNAT 
work on ppp0.
I set as the *first* rule of my FORWARD chain a LOG target to log all 
the packets. While I can see DNATed packets from eth1, DNATed packets 
from ppp0 are lost. So I suppose it''s a routing problem: packets are 
lost at the routing level, not the iptables one.
I also use logging in my PREROUTING chain to ensure packets are DNATed:
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j LOG 
--log-prefix ''before DNAT rule''
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j DNAT 
--to-destination 172.16.1.4
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j LOG 
--log-prefix ''after DNAT rule''
And the packets are DNATed since I never see the second log line in my logs.
I think it''s a routing problem, but I don''t understand why
with a table
like this:

215.136.169.1 dev ppp0  proto kernel  scope link  src 215.136.169.15
135.165.199.128/25 dev eth1  proto kernel  scope link  src 135.165.199.139
172.16.0.0/16 dev eth0  proto kernel  scope link  src 172.16.1.1
default via 135.165.199.129 dev eth1

packets coming in via eth1 to 172.16.1.4 are correctly routed (go out 
via eth0) but packets coming in via ppp0 are lost. This is driving me nuts!

Best Regards,

Raph

Razvan Stranschi wrote:
> If you have default policy in forward chain to DROP you must permit 
> those packets to pass.
> 
> Razvan Stranschi
> razvan@arvo.ro
> 
> 
> 
> Raphael Benedet wrote:
> 
>> Hi,
>>
>> I have a problem with incoming connections on my Linux gateway.
>> I have 2 providers, cable modem on eth1 and dsl on eth2 <-> ppp0 
>> (pppoe). The lan network is connected to eth0. At the moment, I have a 
>> very simple configuration where the default route is via eth1 (cable 
>> modem). I set up DNAT on ppp0 to forward incoming traffic for certain 
>> ports to a computer behind the gateway/firewall:
>> iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j 
>> DNAT --to-destination 172.16.1.4
>> Packets get lost and never reach the FORWARD chain (I logged all 
>> packets to be sure)
>>
>> Here are my routes:
>>
>> # ip route ls
>> 215.136.169.1 dev ppp0  proto kernel  scope link  src 215.136.169.15
>> 135.165.199.128/25 dev eth1  proto kernel  scope link  src 
>> 135.165.199.139
>> 172.16.0.0/16 dev eth0  proto kernel  scope link  src 172.16.1.1
>> default via 135.165.199.129 dev eth1
>>
>> So, I understand traffic by default goes via eth1, but why
don''t
>> incoming packets redirected (DNATed) to an intranet IP address go out 
>> via eth0?
>> If I change my default route in table main to go via ppp0, then, it 
>> works. And DNATing on eth1 works with the current configuration.
>>
>> I don''t have any other routing tables nor complex routing
rules:
>> # ip rule ls
>> 0:      from all lookup local
>> 32766:  from all lookup main
>> 32767:  from all lookup default
>>
>> I am running kernel 2.4.23 with Julian''s patches.
>>
>> Any help would be greatly appreciated. Thank you.
>>
>> Raph
>>
>>
> --------------------------------------- This e-mail was scanned for 
> viruses by ARVO.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/