<wolfgang.wagner@riwa-gis.de>
2014-Jan-13 11:08 UTC
Problem with one-to-one NAT - No NAT at all
Hello, I have to connect two networks with both private IP-adresses, so I must NAT between the networks. There are only a few machines from one network, which must access the other side. So it is easy to edit one file with NAT-rules based on dedicated IPs. My shorewall-installation does anything right (routing, traffic-forwarding, filtering), but not NAT. Anything in the one-to-one-NAT-guide I did not understand correct. The iptables-entries for NAT are there, but will not used. The IP 10.20.75.81 on eth1 should be translated to IP 192.168.201.199 on eth0, but instead the packet goes thru the firewall without NAT. ------------------------------------------------- #shorewall show nat Shorewall 4.5.5.3 NAT Table at auewriwanat1 - Mon Jan 13 11:56:50 CET 2014 Counters reset Thu Jan 9 20:03:39 CET 2014 Chain PREROUTING (policy ACCEPT 356 packets, 32458 bytes) pkts bytes target prot opt in out source destination 0 0 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 350 packets, 31990 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 72 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1 packets, 72 bytes) pkts bytes target prot opt in out source destination 0 0 eth1_out all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT all -- * * 0.0.0.0/0 10.20.75.81 to:192.168.201.199 Chain eth1_out (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 192.168.201.199 0.0.0.0/0 to:10.20.75.81 ---------------------------------------------------- ---------------------------------------------------- # ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 68:05:ca:0c:a5:be brd ff:ff:ff:ff:ff:ff inet 192.168.20.244/24 brd 192.168.20.255 scope global eth0 inet6 fe80::6a05:caff:fe0c:a5be/64 scope link valid_lft forever preferred_lft forever 3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 link/ether 68:05:ca:0c:b8:08 brd ff:ff:ff:ff:ff:ff inet 10.20.75.244/24 brd 10.20.75.255 scope global eth1 inet6 fe80::6a05:caff:fe0c:b808/64 scope link valid_lft forever preferred_lft forever ---------------------------------------------------- ---------------------------------------------------- # ip route show default via 192.168.20.244 dev eth0 10.20.75.0/24 dev eth1 proto kernel scope link src 10.20.75.244 192.168.20.0/24 dev eth0 proto kernel scope link src 192.168.20.244 ---------------------------------------------------- ---------------------------------------------------- /etc/shorewall# cat nat ######################################################################### # IP net IP loc #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL 10.20.75.81 eth1 192.168.201.199 no no ---------------------------------------------------- Mit freundlichen Gruessen Wolfgang Wagner Systemadministration RIWA GmbH Gesellschaft fuer Geoinformationen Zwingerstr. 2, 87435 Kempten Tel: +49 (0) 831 / 522963-537 Fax: +49 (0) 831 / 522963-546 E-Mail: wolfgang.wagner@riwa-gis.de http://www.riwa-gis.de RIWA GmbH, Zwingerstrasse 2, 87435 Kempten Sitz der Gesellschaft: Kempten (Allgaeu) Registergericht: Amtsgericht Kempten, HRB 6480 Geschaeftsfuehrer: Dipl.-Ing. Guenter Kraus ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk