Community discussions

MUM Europe 2020
 
spoiler
newbie
Topic Author
Posts: 27
Joined: Thu Mar 02, 2006 6:29 pm

How to avoid dst-nat masquing origin IP address...

Wed Mar 15, 2006 1:11 pm

I have a dst-nat rule that redirects connections to the untrusted interface on port 21 to the internal ip where ftp server resides, obviously to port 21.
The problem is that logs in the ftp server use to reflect the internal IP address of the router as the ftp session origin.

Is there a way to avoid this and keep the remote IP address of the session as the origin to keep the logs useful?

RULES (some ommited):
[admin@IMPRINTSA] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic

1 chain=srcnat src-address=10.154.24.0/24
dst-address=10.33.0.0/16 action=accept

2 chain=dstnat in-interface=ADSL protocol=udp
dst-port=20 action=dst-nat
to-addresses=10.154.24.117 to-ports=20

3 chain=dstnat in-interface=ADSL protocol=tcp
dst-port=21 action=dst-nat
to-addresses=10.154.24.117 to-ports=21

7 chain=dstnat in-interface=WIRELESS protocol=udp
dst-port=20 action=dst-nat
to-addresses=10.154.24.117 to-ports=20

8 chain=dstnat in-interface=WIRELESS protocol=tcp
dst-port=21 action=dst-nat
to-addresses=10.154.24.117 to-ports=21


13 chain=srcnat action=masquerade

Txs!
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Wed Mar 15, 2006 1:36 pm

AFAIK no, thats simply the way NAT works.
 
yancho
Member Candidate
Member Candidate
Posts: 205
Joined: Tue Jun 01, 2004 3:04 pm
Location: LV

Wed Mar 15, 2006 4:26 pm

Change
chain=srcnat action=masquerade
to
chain=srcnat out-interface=ADSL action=masquerade 
 
spoiler
newbie
Topic Author
Posts: 27
Joined: Thu Mar 02, 2006 6:29 pm

Wed Mar 15, 2006 8:23 pm

I have used many other reverse nat devices (ci$co,netscreen,...) and they do not act this way...

About the post from yancho, I think that should not solve the problem as the rule you specify is the outgoing one. In fact, i need it that way because of an "auto-swapping" default route that swings from one external interface to the other.
 
eflanery
Member
Member
Posts: 382
Joined: Fri May 28, 2004 10:11 pm
Location: Moscow, ID
Contact:

Wed Mar 15, 2006 9:28 pm

Your rule:
chain=srcnat action=masquerade
Will match everything.

Since you can't match on outgoing interface, due to your routing, just match on the IPs you want to MASQ:
chain=srcnat src-address=10.154.24.0/24 action=masquerade
--Eric
 
spoiler
newbie
Topic Author
Posts: 27
Joined: Thu Mar 02, 2006 6:29 pm

Fri Mar 17, 2006 5:05 pm

Your rule:
chain=srcnat action=masquerade
Will match everything.

Since you can't match on outgoing interface, due to your routing, just match on the IPs you want to MASQ:
chain=srcnat src-address=10.154.24.0/24 action=masquerade
--Eric
Txs alot, that really solved the problem!

Who is online

Users browsing this forum: krzysztofciupala and 153 guests