DST-NAT Weirdness

savage · December 17, 2005, 11:38pm

Hi,

I’m having problems with either dst-nat, or masqurade (I’m not 100% which one is causing the issues)…

MT1 Gateway, 3 Interfaces (2.9.6):
ether0 - 198.18.0.1/28
ether1 - 198.18.0.17/28
ether2 - unused

MT2 Border, 3 Interfaces (2.9.9):
ether0 - 198.18.0.2/28
ether1 - 192.168.1.1/24 (Masq, Private Network)
ether2 - 198.18.60.0/27 (Server Farm)

On MT1 I have:

 0 X ;;; Transparent SMTP Service
     chain=dstnat src-address=198.18.60.2 protocol=tcp dst-port=25 
     action=accept 

 1 X chain=dstnat protocol=tcp dst-port=25 
     src-address-list=Everyone (The Mesh) 
     dst-address-list=!Everyone (The Mesh) action=dst-nat 
     to-addresses=198.18.60.2 to-ports=25

Rule 0, Allows access from my SMTP Server, to go through the Gateway to the Internet. Rule 1, diverts traffic from my network, through MT2, to the Server Farm.

Using the Packet Sniffer, I can see these packets arriving at MT2. However, the source address of these packets, are the IP address of ether0, not the client (Which, leads me to believe that this is in fact affected by the masq rule on MT2).

MT2, has the following masq rule:

 0   ;;; Outbound SRC NAT for Internal Network, excluding to the Server Farm
     chain=srcnat src-address=192.168.1.0/24 action=masquerade

Masq everything from 192.168.1.0/24.

Does anyone have any idea why this is not working? Some quick notes:

I do see the packet count increasing on the Gateway. Thus, the gateway sees the packet, and diverts it to 198.18.60.2
I do see the packet arriving at MT2, HOWEVER, source-address has changed to the Interface address of MT1. It’s not the client address anymore.
From MT2, I see no data arriving at the actual address where the Gateway redirects the traffic to.

Any help, much appreciated.

Thanks,

Tonda · December 18, 2005, 2:01pm

Can you post please also routes from MT1 and MT2 and also all other src- and dst-nat rules from your routers? I do not understand what do you want to achieve with your mail server, can you describe it more precisely?

savage · December 18, 2005, 6:04pm

MT1 (Gateway:

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf 
 #     DST-ADDRESS        PREFSRC         G GATEWAY         DIS INTERFACE     
 0 A S 192.168.1.0/24                     r 198.18.0.34         Border Network
 1 ADC 198.18.0.0/28      198.18.0.1                            DSL Network   
 2 ADC 198.18.0.16/28     198.18.0.17                           VPN Network   
 3 ADC 198.18.0.32/27     198.18.0.33                           Border Network
 4 A S 198.18.60.0/27                     r 198.18.0.34         Border Network
 5 A S 0.0.0.0/0                          r 198.18.0.2          DSL Network

MT2 (Border):

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf 
 #     DST-ADDRESS        PREFSRC         G GATEWAY         DIS
 0 ADC 192.168.1.0/24     192.168.1.1    
 1 ADC 198.18.0.32/27     198.18.0.34    
 2 ADC 198.18.60.0/27     198.18.60.1    
 3 A S 0.0.0.0/0                          r 198.18.0.33

Mail server is just a example, so don’t worry to much about that. The point is I can dst-nat from the Gateway, right in to 192.168.1.x (and it works). I can’t dst-nat into 198.18.60.x for some reason.

So yeah, I need to figure out why the dst-nat to 198.18.60 does not go past MT2…