* Strange behaviour of NAT under iptables
@ 2003-07-17 9:04 Marek Zachara
0 siblings, 0 replies; 2+ messages in thread
From: Marek Zachara @ 2003-07-17 9:04 UTC (permalink / raw)
To: netfilter
I have a trustix 2.0 distribution installed with 2.4.21 kernel and 1.2.8 iptables.
thich machine is used as a gateway to the internet for a small lan of 25 computers.
All computers in local network have private 192.168.x.x addresses.
eth1 at the router is connected to DSL/internet, eth0 to local lan.
I have a couple (4) of static public IPs which I want to assign to certain of these
25 computers, the rest of them communicate with internet via masquerade.
Everything worked fine when I used kernel 2.2 and ipchains with fast nat.
Now I have upgraded to the 2.4/iptables. I have set up rules in firewall script
to SNAT and DNAT packets coming to/from machines that should have public IPs.
Now the funny part begins (here is the scenario):
I boot up the router with iptables script which set up NAT for one of the machines in the local
network (let's call it X - it has address in local network like 192.168.15.1).
The NAT works. I can login to (X) from outside computer using the public IP,
when I log from this machine (X) to other computers, the connection is shown
as made from the right public ip that is assigned to (X).
Everything seems fine, but works only for about 5 minutes. Then the connection
to the (X) is unavailable - can't ping it, log in to it, no traceroute - in either (in/out) directions.
everything is blocked at the router.
Most strange thing is that if I set up an alias for eth1:1 with the public IP
assigned for (X) the traffic half-works (which is expectable) - I can login from (X) to any
other computer outside local network (and connection is registered as from (X) public IP),
but I can't login to (X) from outside - which is also fine since the alias 'catches' all the
incoming traffic.
Now if I delete the alias the NAT works fine both directions .... for another couple
of minutes. Then all access to/from (X) is unavailable.
If I set up the alias again I can repeat this scenario again and again. When I put up a script
which sets/deletes the alias every 2 mins, the connection lasts, but of course there are
short periods every 2 min. (between the alias set up and deletion which takes about 2 seconds)
when all traffic incoming to this IP is directed to the alias - which is not good.
I have tried several things, but nothing works :( Any ideas? At least how to debug it?
Any help really appreciated.
Marek
^ permalink raw reply [flat|nested] 2+ messages in thread
* Strange behaviour of NAT under iptables
@ 2003-07-18 12:37 Marek Zachara
0 siblings, 0 replies; 2+ messages in thread
From: Marek Zachara @ 2003-07-18 12:37 UTC (permalink / raw)
To: netfilter
I have a trustix 2.0 distribution installed with 2.4.21 kernel and 1.2.8 iptables.
thich machine is used as a gateway to the internet for a small lan of 25 computers.
All computers in local network have private 192.168.x.x addresses.
eth1 at the router is connected to DSL/internet, eth0 to local lan.
I have a couple (4) of static public IPs which I want to assign to certain of these
25 computers, the rest of them communicate with internet via masquerade.
Everything worked fine when I used kernel 2.2 and ipchains with fast nat.
Now I have upgraded to the 2.4/iptables. I have set up rules in firewall script
to SNAT and DNAT packets coming to/from machines that should have public IPs.
Now the funny part begins (here is the scenario):
I boot up the router with iptables script which set up NAT for one of the machines in the local
network (let's call it X - it has address in local network like 192.168.15.1).
The NAT works. I can login to (X) from outside computer using the public IP,
when I log from this machine (X) to other computers, the connection is shown
as made from the right public ip that is assigned to (X).
Everything seems fine, but works only for about 5 minutes. Then the connection
to the (X) is unavailable - can't ping it, log in to it, no traceroute - in either (in/out) directions.
everything is blocked at the router.
Most strange thing is that if I set up an alias for eth1:1 with the public IP
assigned for (X) the traffic half-works (which is expectable) - I can login from (X) to any
other computer outside local network (and connection is registered as from (X) public IP),
but I can't login to (X) from outside - which is also fine since the alias 'catches' all the
incoming traffic.
Now if I delete the alias the NAT works fine both directions .... for another couple
of minutes. Then all access to/from (X) is unavailable.
If I set up the alias again I can repeat this scenario again and again. When I put up a script
which sets/deletes the alias every 2 mins, the connection lasts, but of course there are
short periods every 2 min. (between the alias set up and deletion which takes about 2 seconds)
when all traffic incoming to this IP is directed to the alias - which is not good.
I have tried several things, but nothing works :( Any ideas? At least how to debug it?
Any help really appreciated.
Marek
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-07-18 12:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-17 9:04 Strange behaviour of NAT under iptables Marek Zachara
2003-07-18 12:37 Marek Zachara
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.