Destination NAT question

Andrew Pollock andrew.pollock@singtech.com.au
Tue, 11 Dec 2001 09:04:25 +1000 

Well I was binding the public IP addresses to my external interface until I
tried the proxyarp alternative that skaya@enix.org suggested...

-----Original Message-----
From: Matthew G. Marsh [mailto:mgm@paktronix.com]
Sent: Tuesday, 11 December 2001 2:34 AM
To: Andrew Pollock
Cc: skaya@enix.org; netfilter@lists.samba.org
Subject: RE: Destination NAT question


On Mon, 10 Dec 2001, Andrew Pollock wrote:

> What you describe below certainly works as an alternative to binding the
> additional IP's to the public interface of the NAT box, and I'll use this
> instead, however it doesn't seem to solve the problem I'm having.
>
> Now when I try to connect to the public IP of one of my private servers, I
> get a "no route to host" and there's an incomplete ARP entry for the
public
> address of the server, so I dare say that the NAT box is trying to talk
out
> the internal interface to the public IP's of the servers.

That is why you want to assign the IPs to your public interface. Then you
will get the correct response. BTW Cisco does this for you so if you are
used to using IOS then you must add in the assign IP address to interface
step.

> Andrew
>
> -----Original Message-----
> From: skaya@calliope.enix.org [mailto:skaya@calliope.enix.org]On Behalf
> Of skaya@enix.org
> Sent: Monday, 10 December 2001 6:37 PM
> To: Andrew Pollock
> Cc: netfilter@lists.samba.org
> Subject: Re: Destination NAT question
>
>
>
> > I've bound the public IP addresses as secondary interfaces of my NAT
box,
> > and I'm doing DNAT to change external traffic to them to the private IP
> > addresses that they actually have inside the network. [...]
> > The only problem I have is that if the NAT box itself tries to access
the
> > external IP address, because it's bound to a secondary interface on
> itself,
> > the connection winds up on the NAT box, instead of being NATed to the
> > private IP internally. (I hope I explained that clearly enough)
>
> from a few messages on this list, it looks like many people assign the
> NAT'ted IP addresses to the NAT box ; of course, this leads to Big
Problems
> when the NAT box tries to talk to the NAT'ted IP addresses.
>
> I see two solutions :
> 1/ have the traffic for public addresses routed thru the NAT box
>    (not very convenient if that implies modification of routing tables
>     of hundreds of boxen)
> 2/ use proxyarp :
>         - add the route for the public addresses
>           route add 1.2.3.0/24 ethInternal
>         - activate proxyarp for the external interface
>           echo 1 > /proc/sys/net/ipv4/conf/ethExternel/proxy_arp
> regards
>

--------------------------------------------------
Matthew G. Marsh,  President
Paktronix Systems LLC
1506 North 59th Street
Omaha  NE  68104
Phone: (402) 932-7250 x101
Email: mgm@paktronix.com
WWW:  http://www.paktronix.com
--------------------------------------------------