Hi there,
the problem is not at all puzzling if you know what's happening at that
"SNAT":
the firewall acts like a transparent proxy in your case.
For any outgoing connection, the firewall generates a mapping:
+source address/source port in the local network
+destination address/destination port in the "public" network
resulting in: NAT address/NAT port for the "public" network
Now, when a packet arrives at the firewall, it can check its source
adress/
source port and destination address/destination port and thereby find out
which local machine this packet should be forwarded to. (Both need to
match,
since there may be many local machines connecting to the same public
server concurrently!)
This is how any number (OK: almost any number, since there are no more
than
65335 ports numbers available) of client machines behind such a NAT-device
can share one IP address for (almost) any number of concrrent connections.
Some people - Cisco experts, for example - call this mechanism "port
address
translation", since in fact different IP addresses get translated into
different
port numbers.
In your case, however, the firewall has a mapping for destination
172.16.2.34,
but none for 172.16.2.35, so it cannot forward the packets correctly.
One possible solution for your problem:
There's an iptables target called "NETMAP" that might be helpful:
it statically translates one ip network into a different range of the same
size, e.g.
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 172.16.2.34 -j NETMAP
--to 192.168.50.0/24
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 172.16.2.35 -j NETMAP
--to 192.168.50.0/24
iptables -t nat -A PREROUTING -s 172.16.2.34 -d 192.168.50.0/24 -j NETMAP
--to 192.168.1.0/24
iptables -t nat -A PREROUTING -s 172.16.2.35 -d 192.168.50.0/24 -j NETMAP
--to 192.168.1.0/24
This would in fact translate IP addresses instead of port numbers:
the first two rules would translate e.g. 192.168.1.1 to 192.168.50.1 when
connecting to any valid IP
of that SQL server,
and the second two lines would ensure that anything coming back from one
of the two addresses
would get mapped back to the machine the data is actually intended for.
You should definitely add some filter rules for those connections,
however, because otherwise
anyone having access to that SQL server would be able to connect to your
home hetwork!
I happen to know that IPCop 1.4.11 at least does support the
NETMAP-target, but I'm not sure
how to configure that.
Hope this helps,
Frank
netfilter-bounces@lists.netfilter.org schrieb am 27.02.2007 22:56:13:
> Hello,
>
> I have a NATing problem,
>
> I use an IPCop firewall and router,
>
> eth0 has 192.168.1.1 and connects to my LAN 192.168.1.0
>
> eth1 connects to my bridged DSL modem (public IP)
>
> eth2 has 192.168.50.1 and connects to a Cisco 2800 router (at
> 192.168.50.254) which routes via a dedicated T1 to a hospital,
>
> eth3 is unused,
>
> I connect to the following subnets at the hospital,
>
> 172.22.0.0 255.255.254.0
> 172.16.0.0 255.255.254.0
> 172.17.0.0 255.255.254.0
>
> so I added the following routes
>
> route add -net 172.17.0.0/23 gw 192.168.50.1
> route add -net 172.16.0.0/23 gw 192.168.50.1
> route add -net 172.22.0.0/23 gw 192.168.50.1
> route add -net 192.168.50.0/24 gw 192.168.50.1
>
>
> but, since the hospital has its own 192.168.1.0 subnet (equal to mine),
> besides routing, I had to enable NATing, ('cause I wasn't getting any
> traffic back)
>
> I did so by
>
> iptables -t nat -A POSTROUTING -d 172.17.0.0/23 -j SNAT --to
> 192.168.50.1
> iptables -t nat -A POSTROUTING -d 172.16.0.0/23 -j SNAT --to
> 192.168.50.1
> iptables -t nat -A POSTROUTING -d 172.22.0.0/23 -j SNAT --to
> 192.168.50.1
> iptables -t nat -A POSTROUTING -d 192.168.50.0/24 -j SNAT --to
> 192.168.50.1
>
> and can connect to those subnets,
>
> ...BUT!
>
> one services is a MS-SQL database,
> it runs on a virtual machine with IP 172.16.2.34
> while the physical machine has IP 172.16.2.35
> I can perfectly ping 2.34 and 2.35 distinctively from my LAN
>
> when I launch the client application that needs to connect
> my requests are sent to 2.34 (the virtual machine), but I am getting
> responses back from 2.35 (the physical machine's IP)
> so those are not traversing NAT back to me and no connection is
> established,
>
>
> the puzzling thing is that,
>
> If I connect a regular wan router (like those linksys) to the cisco,
> (thus bypassing my IPCop box)
> and a laptop to the router's switch,
> and launch the app, it will connect to the SQL server,
>
> then, when I put everything back, and re-launch the app from my NATed
> by IPCop LAN
> it also runs,
>
> It fails on making the first run, but once is done because of
> bypassing, it will run,
>
> Hospital people had open a ticket with MS, and forwarded them the
> captured packets,
> (it's to my understanding an MS problem, but I have to provide a
> solution)
>
> I think my alternatives are:
>
> 1.
> doing one to one nat, meaning every internal address (in the
> 192.168.1.0)
> translates into an external address (in the 192.168.50.0) ,
>
> but I don't know how to do it, I can learn though,
>
> 2.
> changing my LAN to i.e. 192.168.51.0 so no NATing is needed,
>
> Is there any other?
>
> what will you recommend?
>
> any pointer towards the right documentation in how to do it?
>
> Many, many thanks in advance
>
>
>
>
>
|