Troubleshooting Connectivity and NAT

I am having a network connectivity problem which may involve nat. An
inside host connected to eth2 can ping interfaces on the firewall, and
the firewall itself can ping its gateway. However, the inside host
cannot ping the gateway even with the simplest possible set of rules.
I suspect that packets are going out but not getting back.

I've attached what I hope will be enough info for someone to tell me
what I'm doing wrong. (eth1 and lo removed.)


[root@fw1 bsimon]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:00:C0:A79:4A
inet addr:x.y.34.6 Bcast:x.y.35.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1858082 errors:0 dropped:0 overruns:0 frame:0
TX packets:18396 errors:0 dropped:0 overruns:0 carrier:0
collisions:7 txqueuelen:100
RX bytes:114057207 (108.7 Mb) TX bytes:1747981 (1.6 Mb)
Interrupt:3 Base address:0x290 Memory:d0000-d4000

eth2 Link encap:Ethernet HWaddr 00:50:04:99:44:29
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:197 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:23568 (23.0 Kb) TX bytes:1312 (1.2 Kb)
Interrupt:12 Base address:0x6100


[root@fw1 bsimon]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth2
x.y.34.0 * 255.255.254.0 U 0 0 0 eth0
default x.y.34.1 0.0.0.0 UG 0 0 0 eth0


[root@fw1 bsimon]# cat fw.rules
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to x.y.34.102
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT


[root@fw1 bsimon]# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 14744 packets, 1837K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 31 packets, 2528 bytes)
pkts bytes target prot opt in out source destination
3 202 SNAT all -- * eth0 0.0.0.0/0 0.0.0.0/0
to:x.y.34.102

Chain OUTPUT (policy ACCEPT 28 packets, 2382 bytes)
pkts bytes target prot opt in out source destination


[root@fw1 bsimon]# iptables -L -v -n
Chain INPUT (policy ACCEPT 637 packets, 56469 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 4 packets, 240 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 19070 packets, 1469K bytes)
pkts bytes target prot opt in out source destination


[root@fw1 bsimon]# lsmod
Module Size Used by
ipt_state 1024 0 (autoclean)
ipt_LOG 3856 0 (autoclean)
ipt_limit 1360 0 (autoclean)
iptable_filter 2128 0 (autoclean) (unused)
iptable_nat 16528 0 (autoclean) (unused)
ip_conntrack 15824 2 (autoclean) [ipt_state iptable_nat]
ip_tables 10944 7 [ipt_state ipt_LOG ipt_limit
iptable_filter iptable_nat]
autofs 11232 0 (autoclean) (unused)
3c59x 25216 1
ne 7040 1
wd 5312 1
8390 6208 0 [ne wd]
ext3 61936 2
jbd 38976 2 [ext3]


[root@fw1 root]# cat /proc/sys/net/ipv4/ip_forward
1

On 29 Jan 2004 10:48:32 -0800, (E-Mail Removed) (Bob Simon)
wrote:

>I am having a network connectivity problem which may involve nat. An
>inside host connected to eth2 can ping interfaces on the firewall, and
>the firewall itself can ping its gateway. However, the inside host
>cannot ping the gateway even with the simplest possible set of rules.
>I suspect that packets are going out but not getting back.

>[root@fw1 bsimon]# ifconfig
>eth0 Link encap:Ethernet HWaddr 00:00:C0:A79:4A
> inet addr:x.y.34.6 Bcast:x.y.35.255 Mask:255.255.254.0

>[root@fw1 bsimon]# cat fw.rules
>iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to x.y.34.102

I found the problem -- I either need to change the mapped SNAT address
to eth0's address, or I have to multinet eth0.

I tested the first solution and it works fine. Are there any reasons
to prefer the second one?
Bob

--
Bob Simon
remove x from domain for private replies