[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Annoying NAT problem

To: misc@openbsd.org
Subject: Re: Annoying NAT problem
From: Rémi Guyomarch <rguyom@pobox.com>
Date: Fri, 2 Mar 2001 06:49:48 +0100
Content-Disposition: inline
References: <Pine.BSO.4.31.0103011012090.26557-100000@saddlebags.upnix.com>
User-Agent: Mutt/1.2.5i

On Thu, Mar 01, 2001 at 10:23:50AM -0700, Chris Cameron wrote:
> Trying to setup ipnat with no luck.
> 
> 1 nic card, two addresses (as discussed earlier) 24.108.86.247 and an
> alias for 192.168.1.1
> 
> After having read through the FAQ on nat twice I've got
> 
> map tl0 192.168.1.0/24  -> 24.108.86.247/32  portmap tcp/udp 10000:60000
> map tl0 192.168.1.0/24  -> 24.108.86.247/32

With this setup (1 nic card + NAT) you won't be able to filter based
on internal addresses. Overall you don't have a firewall, you might
have a NAT box, but that's all.

> in my ipnat.rules. The Win98 machine I'm testing it with has
> 192.168.1.48 as an IP, 255.255.255.0 as the netmask, and 192.168.1.1 as
> the gateway.  It can ping the gateway, and it shows up under ipnat -l as
> MAP 192.168.1.1     0     <- -> 24.108.86.247   0     [192.168.1.48 0]
> but I can't actually connect to the BSD box. Trying to telnet to 25
> shows
> MAP 192.168.1.1     25    <- -> 24.108.86.247   10004 [192.168.1.48
> 1033]
> but it never connects.

Are you sure your SMTP daemon listen to 24.108.86.247 ? What are the
netmasks ? Give us the output of 'ifconfig -A'.

Even if it does, the NAT code in IPFilter doesn't translate things
properly when you try to connect to the firewall's outside IP
(logically outside in your case).
If you have ipf 3.4.16 you can do something like that in ipnat to be
able to connect to the 'external' firewall IP from internal machines :

map tl0 from 192.168.1.0/24 to !24.108.86.247/32 -> 24.108.86.247/32  portmap tcp/udp 10000:60000
map tl0 from 192.168.1.0/24 to !24.108.86.247/32 -> 24.108.86.247/32

> That aside, trying to get outside of my 2 machine 'network' from the
> Win98 machine doesn't do anything, when trying to ping an outside
> machine it doesn't even show up under ipnat -l.
> 
> I have added pass in from any to any and pass out from any to any to my
> IPF.

Something else is broken. Did you enabled IP forwarding ?

Btw, if I understand, you have a setup like that :

(Internet)
    |
    |       
ISP router  Win.1  Win.2  Win.3  OBSD  Win.4
    |         |      |      |      |     |
    |         |      |      |      |     |
 ---------------------------------------------- (hub/switch)

You understand that with this setup your ISP router can talk to your
WinX boxes without passing through the obsd box ?

-- 
Rémi

References:
- Annoying NAT problem
  - From: Chris Cameron <chris@UpNIX.com>

Prev by Date: Re: port info in ipflog missing
Next by Date: ePipe
Prev by thread: Annoying NAT problem
Next by thread: Re: Annoying NAT problem
Index(es):
- Date
- Thread