NAT issue -- machines outside NATed network don't know where they should respond??

This is a discussion on NAT issue -- machines outside NATed network don't know where they should respond?? within the IPFilter forums, part of the System Security and Security Related category; Hi. I have problem with nating private network. My nating box has two ( well three ) interfaces up: bge0, bge1002 and ...


Go Back   Usenet Forums > System Security and Security Related > IPFilter

Reload this Page NAT issue -- machines outside NATed network don't know where they should respond??

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 02-05-2005
 
Posts: n/a
Default NAT issue -- machines outside NATed network don't know where they should respond??
Hi. I have problem with nating private network. My nating box has
two ( well three ) interfaces up: bge0, bge1002 and bge2002

bge0 has routable IP NATip, bge1002 - 192.168.1.1 and bge2002 -
192.168.2.1. ( netmasks are- 255.255.255.0)

I have been trying to set NAT between 192.x.x.x and rest of the world. I
have started with rule like this (to check if everything works ): map
bge2002 192.168.1.0/24 -> 192.168.3.0/24 ,everything worked fine. Packet
came from 192.168.1.0/24, got translated, went to machine in 192.168.2.0/24
and got back through translation to originating IP.

Than I have tried something like that

map bge0 192.168.1.0/24 -> NATip/32 portmap tcp/udp auto

or map bge0 192.168.1.0/24 -> NATip/32 portmap auto

In this case everything worked fine too, I was able to estabilish connection
beyond unroutable IP's ( from mahcines in 192.168.1.0/24), make DNS lookups
(dns server is in 194) and so on.



But with rule like this:

map bge0 192.168.1.0/24 -> 194.29.145.252/32 portmap auto ( or
194.29.145.254 ---> it works netween two private networks - 192...)

packets are translated by ipnat and sent to machine I was trying to ping or
ssh, but nothing comes back. Only reaction from peer is arp lookup for
194.29.145.252 or 254.





here is the rest of the stuff:
grinch# uname -a
SunOS grinch 5.9 Generic_117171-15 sun4u sparc SUNW,Sun-Fire-V210

grinch# isainfo -vk
64-bit sparcv9 kernel modules



grinch# ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 4
inet 127.0.0.1 netmask ff000000
bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5
inet NATip netmask ffffff00 broadcast 194.29.145.255
ether 0:3:ba:9f:84:71
bge1002: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv 4,CoS> mtu 1500
index 6
inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255
ether 0:3:ba:9f:84:73
bge2002: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv 4,CoS> mtu 1500
index 7
inet 192.168.2.1 netmask ffffff00 broadcast 192.168.2.255
ether 0:3:ba:9f:84:73

grinch# netstat -rn



Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
192.168.1.0 192.168.1.1 U 1 14 bge1002
192.168.2.0 192.168.2.1 U 1 6 bge2002
194.29.145.0 NATip U 1 713 bge0
default 194.29.145.1 UG 1 1118
127.0.0.1 127.0.0.1 UH 2 2 lo0



grinch# netstat -i
Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis
Queue
lo0 8232 loopback localhost 6 0 6 0 0 0
bge0 1500 grinch grinch 100375 0 14688 0 0 0
bge1002 1500 grinch1002 grinch1002 7703 0 752 0 0 0
bge2002 1500 grinch2002 grinch2002 2200 0 421 0 0 0





grinch# netstat -s -P ip



IPv4 ipForwarding = 2 ipDefaultTTL = 255
ipInReceives = 11870 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 8372 ipForwProhibits = 41
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers = 2073 ipOutRequests = 3234
ipOutDiscards = 0 ipOutNoRoutes = 0
ipReasmTimeout = 60 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 0 udpNoPorts = 1272
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 5

grinch# ipf -V
ipf: IP Filter: v4.1.3 (592)
Kernel: IP Filter: v4.1.3
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x187



grinch# ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 10144 passed 11870 nomatch 4164 counted 0
short 0
output packets: blocked 0 passed 11608 nomatch 2513 counted 0 short
0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 0 lost 0
packet state(out): kept 1177 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 5158 (out): 3271
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 52 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 158982
Packet log flags set: (0)
none

// to be sure everything from me is passed out

grinch# ipfstat -io
pass out quick on bge0 all keep state
block in on bge0 all





grinch# ipnat -slv
mapped in 82 out 7478
added 942 expired 0
no memory 0 bad nat 1384
inuse 7
rules 3
wilds 0
table ffffffff7ffffbd8 list 3000250a1a8
List of active MAP/Redirect filters:
map bge0 192.168.1.0/24 -> 194.29.145.252/32
map bge0 192.168.2.0/24 -> 194.29.145.252/32
map bge2002 192.168.1.0/24 -> 194.29.145.254/32



List of active sessions:
MAP 192.168.1.2 33043 <- -> 194.29.145.252 1559 [DNSServer 53]
age 159907 use 0 sumd 0x1773/0x1773 pr 17 bkt 1141/120 flags 2
ifp bge0,bge0 bytes 0/280 pkts 0/4 ipsumd 926f
MAP 192.168.1.2 33042 <- -> 194.29.145.252 1558 [DNSServer 53]
age 159896 use 0 sumd 0x1773/0x1773 pr 17 bkt 1399/378 flags 2
ifp bge0,bge0 bytes 0/280 pkts 0/4 ipsumd 926f
MAP 192.168.1.2 33041 <- -> 194.29.145.252 1557 [DNSServer 53]
age 159706 use 0 sumd 0x1773/0x1773 pr 17 bkt 1139/118 flags 2
ifp bge0,bge0 bytes 0/280 pkts 0/4 ipsumd 926f
MAP 192.168.1.2 33040 <- -> 194.29.145.252 1556 [DNSServer 53]
age 159696 use 0 sumd 0x1773/0x1773 pr 17 bkt 1397/376 flags 2
ifp bge0,bge0 bytes 0/280 pkts 0/4 ipsumd 926f
MAP 192.168.1.3 32829 <- -> 194.29.145.252 1849 [RPCServer 111]
age 159580 use 0 sumd 0x196a/0x196a pr 17 bkt 1005/487 flags 2
ifp bge0,bge0 bytes 0/232 pkts 0/2 ipsumd 926e
MAP 192.168.1.2 33039 <- -> 194.29.145.252 1555 [RPCServer 111]
age 159414 use 0 sumd 0x1773/0x1773 pr 17 bkt 1214/193 flags 2
ifp bge0,bge0 bytes 0/232 pkts 0/2 ipsumd 926f
MAP 192.168.2.3 32819 <- -> 194.29.145.252 1839 [RPCServer 111]
age 159199 use 0 sumd 0x186a/0x186a pr 17 bkt 1251/477 flags 2
ifp bge0,bge0 bytes 0/232 pkts 0/2 ipsumd 916e



List of active host mappings:
192.168.1.2,DNSServer -> 194.29.145.252 (use = 2 hv = 890)
192.168.1.2,DNSServer -> 194.29.145.252 (use = 2 hv = 894)
192.168.1.2,RPCServer-> 194.29.145.252 (use = 1 hv = 926)
192.168.1.3,RPCServer-> 194.29.145.252 (use = 1 hv = 928)
192.168.2.3,RPCServer-> 194.29.145.252 (use = 1 hv = 1440)









========
Pozdrawiam
Bartosz Baranowski mailto: baranowb@op.pl




Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 04:08 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0