NATing Not wotking

sneak at ipnoc.co.za sneak at ipnoc.co.za
Sun Apr 29 14:14:49 CEST 2007


Hi,

as shown below Ive got 3 machines, i try ping machine 3 (IP 172.15.0.1) from 
Machine 1 (IP 10.22.200.25)
which has a route pointing to NAT server (IP 10.22.200.1), in hope that it 
would be natted to (172.15.0.15)
and machine3 would be able to speak to machine1. Now this is not the case. 
the TCP dump Below Indicates that
the Natting is happening, And I have enabled Ipforwading in /etc/sysctl.conf 
.. On that nat server im running Centos5 kernel 2.6.18-8

But I dont get any reply from Machine3 and when I do a tcpdump on machine3 I 
get ping requests
from 10.22.200.25 and not its natted address 172.15.0.15.


Is there something im missing in my iptables commands?
or kernel modules?


 +---------+          +---------+         +---------+
 |                |          |CentOS 5 |          |                |
 |machine 1 |          |   NAT     |          |machine 3 |
 |                |          |kernel       |          |                |
 |                |          |2.6.18-8   |          |                |
 +---------+          +---------+          +---------+
           a.|              b.|eth0 c.|eth1           d.|
  +--------------------------------------------------------------+
  | 
|
  | Switch 
|
  +--------------------------------------------------------------+

a.10.22.200.25 (natted address 172.15.0.15)
b.10.22.200.1
c.172.15.0.5
d.172.15.0.1



Machine 1 Routing table
=======================



[root at mach1 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
10.22.200.0     0.0.0.0         255.255.255.128 U     0      0        0 eth1
172.69.128.0    0.0.0.0         255.255.255.128 U     0      0        0 eth0
172.15.0.0      10.22.200.1     255.255.255.0   UG    0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
0.0.0.0         172.69.128.1    0.0.0.0         UG    0      0        0 eth0



Nat rules on Nat server
=======================
iptables -t nat -A POSTROUTING -o eth1 -s 10.22.200.25   -j SNAT --to 
172.15.0.15
iptables -t nat -A PREROUTING -i eth1 -d 172.15.0.15   -j DNAT --to 
10.22.200.25






-------

[root at mach1 ~]# ping 172.15.0.1
PING 172.15.0.1 (172.15.0.1) 56(84) bytes of data.

--- 172.15.0.1 ping statistics ---
25 packets transmitted, 0 received, 100% packet loss, time 23997ms


--------

[root at nat ~]# tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes



14:12:16.329663 arp who-has 172.15.0.1 tell 172.15.0.5
14:12:16.329718 arp reply 172.15.0.1 is-at 00:11:25:6e:05:4f (oui Unknown)
14:12:16.329725 IP 172.15.0.15 > 172.15.0.1: ICMP echo request, id 58439, 
seq 0, length 64
14:12:17.328748 IP 172.15.0.15 > 172.15.0.1: ICMP echo request, id 58439, 
seq 1, length 64
14:12:18.328540 IP 172.15.0.15 > 172.15.0.1: ICMP echo request, id 58439, 
seq 2, length 64
14:12:19.328356 IP 172.15.0.15 > 172.15.0.1: ICMP echo request, id 58439, 
seq 3, length 64
14:12:20.328139 IP 172.15.0.15 > 172.15.0.1: ICMP echo request, id 58439, 
seq 4, length 64
14:12:21.327945 IP 172.15.0.15 > 172.15.0.1: ICMP echo request, id 58439, 
seq 5, length 64
14:12:22.327752 IP 172.15.0.15 > 172.15.0.1: ICMP echo request, id 58439, 
seq 6, length 64
14:12:22.370038 arp who-has 172.15.0.15 tell 172.15.0.1
14:12:23.328546 IP 172.15.0.15 > 172.15.0.1: ICMP echo request, id 58439, 
seq 7, length 64
14:12:24.328346 IP 172.15.0.15 > 172.15.0.1: ICMP echo request, id 58439, 
seq 8, length 64
14:12:25.328148 IP 172.15.0.15 > 172.15.0.1: ICMP echo request, id 58439, 
seq 9, length 64
14:12:26.327939 IP 172.15.0.15 > 172.15.0.1: ICMP echo request, id 58439, 
seq 10, length 64
14:12:27.327745 IP 172.15.0.15 > 172.15.0.1: ICMP echo request, id 58439, 
seq 11, length 64
14:12:28.327537 IP 172.15.0.15 > 172.15.0.1: ICMP echo request, id 58439, 
seq 12, length 64






















More information about the netfilter mailing list