NAT config problem

hi,
i have a situation like this:

Internet <--> my_LAN <--> other_LAN

currently what I want to do is to make nat for computers from my_LAN
to be able
to access other_LAN.
my lan is on 192.168.100.0 network range, and other_LAN is at 10.0.0.0
network range
i was assigned ip's from the admin of other_LAN.
the router between two LANs has eth0 on the side of my_LAN and ra0 on
the side of other_LAN.


here is my script (at nat section for start i want to set up nat for
one computer):

#!/bin/bash

echo "1" > /proc/sys/net/ipv4/ip_forward

#ssh
iptables -A INPUT -p tcp -i eth0 --dport ssh -j ACCEPT

#http
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT

#ftp
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT

#samba
iptables -A INPUT -p tcp -i eth0 --dport 137 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 137 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 138 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 138 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 139 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 139 -j ACCEPT

#routing, nat
iptables -t nat -A POSTROUTING -o ra0 -s 192.168.100.11 -j SNAT --to-
source 10.168.23.143
iptables -A FORWARD -i eth0 -o ra0 -s 192.168.100.0/24 -m state --
state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A POSTROUTING -t nat -j MASQUERADE

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -j DROP

iptables-save > /etc/iptables.up.rules

this is not working.
what am i doing wrong?

Hello,

simsirpasc a écrit :
>
> Internet <--> my_LAN <--> other_LAN
>
> currently what I want to do is to make nat for computers from my_LAN
> to be able
> to access other_LAN.
> my lan is on 192.168.100.0 network range, and other_LAN is at 10.0.0.0
> network range
> i was assigned ip's from the admin of other_LAN.
> the router between two LANs has eth0 on the side of my_LAN and ra0 on
> the side of other_LAN.
>
> here is my script (at nat section for start i want to set up nat for
> one computer):
>
> #!/bin/bash
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
[...]
> iptables -t nat -A POSTROUTING -o ra0 -s 192.168.100.11 -j SNAT --to-
> source 10.168.23.143
> iptables -A FORWARD -i eth0 -o ra0 -s 192.168.100.0/24 -m state --
> state NEW -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

This looks good.

> this is not working.

What exactly is not working ?
How's the route from 192.168.100.11 to other_LAN ?
Is 10.168.23.143 assigned to ra0 ?

to ra0 is assigned 10.168.23.141 (the router's IP), .143 address is IP
I am trying to assign to a
computer on my_LAN.
nothing is coming through...web, ping... traceroute reaches only my
router.

i'm not much of an expert on this, but i tried to ping 10.168.4.2 (one
computer on the other_LAN)
and ran tcpdump on my router (btw the router on the other_LAN has
10.168.23.129 address):

root@router1# tcpdump -i ra0
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on ra0, link-type EN10MB (Ethernet), capture size 96 bytes
16:17:34.993927 IP 10.168.23.129 > OSPF-DSIG.MCAST.NET: igmp v2 report
OSPF-DSIG.MCAST.NET
16:17:35.034660 IP 10.168.23.129.5678 > 255.255.255.255.5678: UDP,
length 55
16:17:35.038895 CDPv1, ttl: 120s, Device-ID 'mt-ares', length 62
16:17:35.076768 IP 10.168.23.132.netbios-ns > 10.168.23.191.netbios-
ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:17:35.305428 IP 10.168.23.129 > OSPF-ALL.MCAST.NET: igmp v2 report
OSPF-ALL.MCAST.NET
16:17:35.372878 IP 10.168.23.132 > 239.255.255.250: igmp v2 report
239.255.255.250
16:17:36.163565 IP 10.168.23.143 > 10.168.4.2: ICMP echo request, id
1024, seq 1536, length 40
16:17:36.382403 arp who-has 10.168.23.143 tell 10.168.23.129
16:17:37.104142 IP 10.168.23.129 > OSPF-ALL.MCAST.NET: OSPFv2, Hello,
length: 44
16:17:37.373650 arp who-has 10.168.23.143 tell 10.168.23.129
16:17:37.829733 IP 10.168.23.132.netbios-dgm > 10.168.23.191.netbios-
dgm: NBT UDP PACKET(138)
16:17:37.830876 IP 10.168.23.132.netbios-ns > 10.168.23.191.netbios-
ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:17:38.373627 arp who-has 10.168.23.143 tell 10.168.23.129
16:17:38.576113 IP 10.168.23.132.netbios-ns > 10.168.23.191.netbios-
ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:17:39.326362 IP 10.168.23.132.netbios-ns > 10.168.23.191.netbios-
ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:17:41.521011 IP 10.168.23.143 > 10.168.4.2: ICMP echo request, id
1024, seq 1792, length 40
16:17:41.700115 arp who-has 10.168.23.143 tell 10.168.23.129
16:17:42.075792 IP 10.168.23.132.netbios-ns > 10.168.23.191.netbios-
ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:17:42.693775 arp who-has 10.168.23.143 tell 10.168.23.129
16:17:42.825679 IP 10.168.23.132.netbios-ns > 10.168.23.191.netbios-
ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:17:43.575835 IP 10.168.23.132.netbios-ns > 10.168.23.191.netbios-
ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:17:43.694129 arp who-has 10.168.23.143 tell 10.168.23.129
16:17:47.023378 IP 10.168.23.143 > 10.168.4.2: ICMP echo request, id
1024, seq 2048, length 40
16:17:47.103623 IP 10.168.23.129 > OSPF-ALL.MCAST.NET: OSPFv2, Hello,
length: 44
16:17:47.442509 arp who-has 10.168.23.143 tell 10.168.23.129
16:17:48.433004 arp who-has 10.168.23.143 tell 10.168.23.129
16:17:49.434780 arp who-has 10.168.23.143 tell 10.168.23.129

to me it looks like that my router isn't forwarding packets from
other_LAN to my_LAN...?
exactly, I don't know what is wrong and how to determine the problem?



On Nov 19, 1:19 pm, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
wrote:
> Hello,
>
> simsirpasc a écrit :
>
>
>
>
>
> > Internet <--> my_LAN <--> other_LAN
>
> > currently what I want to do is to make nat for computers from my_LAN
> > to be able
> > to access other_LAN.
> > my lan is on 192.168.100.0 network range, and other_LAN is at 10.0.0.0
> > network range
> > i was assigned ip's from the admin of other_LAN.
> > the router between two LANs has eth0 on the side of my_LAN and ra0 on
> > the side of other_LAN.
>
> > here is my script (at nat section for start i want to set up nat for
> > one computer):
>
> > #!/bin/bash
>
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> [...]
> > iptables -t nat -A POSTROUTING -o ra0 -s 192.168.100.11 -j SNAT --to-
> > source 10.168.23.143
> > iptables -A FORWARD -i eth0 -o ra0 -s 192.168.100.0/24 -m state --
> > state NEW -j ACCEPT
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> This looks good.
>
> > this is not working.
>
> What exactly is not working ?
> How's the route from 192.168.100.11 to other_LAN ?
> Is 10.168.23.143 assigned to ra0 ?

[Please quote properly - and don't top-post]

simsirpasc a écrit :
> to ra0 is assigned 10.168.23.141 (the router's IP), .143 address is IP
> I am trying to assign to a
> computer on my_LAN.
> nothing is coming through...web, ping... traceroute reaches only my
> router.
>
> i'm not much of an expert on this, but i tried to ping 10.168.4.2 (one
> computer on the other_LAN)
> and ran tcpdump on my router (btw the router on the other_LAN has
> 10.168.23.129 address):

What router ? Didn't you just write the the router's address was
10.168.23.141 ?

> root@router1# tcpdump -i ra0
[...]
> 16:17:47.442509 arp who-has 10.168.23.143 tell 10.168.23.129
> 16:17:48.433004 arp who-has 10.168.23.143 tell 10.168.23.129
> 16:17:49.434780 arp who-has 10.168.23.143 tell 10.168.23.129
>
> to me it looks like that my router isn't forwarding packets from
> other_LAN to my_LAN...?

Actually your router doesn't even receives IP packets from other_LAN to
my_LAN, because the sender doen't know how to send them.

> exactly, I don't know what is wrong and how to determine the problem?

As you can see above, nothing replies to ARP queries from 10.168.23.129
for 10.168.23.143. ARP (Address Resolution Protocol) is used to learn
the MAC address of the next hop. This is not surprising, because
10.168.23.143 is not assigned to any interface on the link. That's why I
asked if it was assigned to ra0.

You have two options :
1) Add the address to ra0
ip addr add 10.168.23.143 dev ra0

2) Set up proxy ARP serving ra0's MAC address for 10.168.23.143.
I don't know how to do this, the 'proxy' option in 'arp' or 'ip neigh'
commands do not seem to work.