[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
2.7 nat problems
I seem to be having a fairly common problem, from what I've seen searching
through deja.com, but I haven't yet seen any answers. I recently added an
openBSD partition to my linux box, and now I'm having trouble getting
openBSD's nat software to do what
I think it should do (which may, of course, bear little resemblance to what
it's actually doing). I'm not a complete idiot, as I did get IP
masquerading working properly in
linux, but openBSD's nat seems to have me stumped.
My openBSD machine is running 2.7, with the default kernel. It has two
network cards in it: a linksys card (dc0) that is attached to my dsl modem
(address from dhcp), and a d-link card (rl0) that connects to the hub for my
local network (server IP 192.168.0.1). Both cards seem to be set up
correctly (meaning that I can ping the server from inside my network, and I
can ping the outside world from the server). I followed the instructions in
the networking chapter of the faq, and set up ipf, ipnat, and dhcp (for the
local network -- dhcpd works beautifully) to do straightforward nat.
Unfortunately, traffic from inside my local net isn't making it out.
Help???
My thanks,
Grant
Gory details:
Script started on Sat Sep 2 16:57:06 2000
server# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding = 1
server# cat /etc/hostname.dc0
dhcp NONE NONE NONE
server# cat /etc/hostname.rl0
inet 192.168.0.1 255.255.255.0 NONE
server# ping 192.168.0.1 [***whoops, meant to use 192.168.0.150, my win98
box,
but I have checked that
pinging my windows box; can't
verify now since I need to
have linux ip masquerading
up to send this!***]
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: icmp_seq=0 ttl=255 time=5.343 ms
64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.241 ms
^C
--- 192.168.0.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 0.241/2.792/5.343/2.551 ms
server# ping openbsd.org
PING openbsd.org (199.185.137.3): 56 data bytes
64 bytes from 199.185.137.3: icmp_seq=0 ttl=236 time=371.620 ms
64 bytes from 199.185.137.3: icmp_seq=1 ttl=236 time=382.389 ms
^C
--- openbsd.org ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 371.620/377.004/382.389/5.419 ms
server# ifconfig dc0
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect (10baseT)
status: active
inet6 fe80::2a0:ccff:fee4:8b65%dc0 prefixlen 64 scopeid 0x2
inet 208.191.169.120 netmask 0xfffff000 broadcast 255.255.255.255
server# ifconfig rl0
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::250:baff:fe8f:617a%rl0 prefixlen 64 scopeid 0x1
server# cat ipf.rules
cat: ipf.rules: No such file or directory
server# cat /etc/ipf.rules
# $OpenBSD: ipf.rules,v 1.6 1997/11/04 08:39:32 deraadt Exp $
#
# IP filtering rules. See the ipf(5) man page for more
# information on the format of this file, and /usr/share/ipf
# for example configuration files.
#
# Pass all packets by default.
# edit the ipfilter= line in /etc/rc.conf to enable IP filtering
#
pass in from any to any
pass out from any to any
server# cat /etc/ipnat.rules
# $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $
#
# See /usr/share/ipf/nat.1 for examples.
# edit the ipnat= line in /etc/rc.conf to enable Network Address Translation
#map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000
map dc0 192.168.0.0/24 -> dc0/32 portmap tcp/udp 10000:20000
map dc0 192.168.0.0/24 -> dc0/32
server# ipnat -l
List of active MAP/Redirect filters:
map dc0 192.168.0.0/24 -> 208.191.169.120/32 portmap tcp/udp 10000:20000
map dc0 192.168.0.0/24 -> 208.191.169.120/32
List of active sessions:
server# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Interface
default 208.191.175.254 UGS 0 18 1500 dc0
127/8 127.0.0.1 UGRS 0 0 32972 lo0
127.0.0.1 127.0.0.1 UH 3 24 32972 lo0
192.168.0/24 link#1 UC 0 0 1500 rl0
192.168.0.1 0:50:ba:8f:61:7a UHL 0 4 1500 lo0
192.168.0.150 0:a0:cc:32:69:2e UHL 0 38 1500 rl0
208.191.160/20 link#2 UC 0 0 1500 dc0
208.191.167.91 0:10:67:0:36:52 UHL 0 4 1500 dc0
208.191.168.12 link#2 UHL 1 4 1500 dc0
208.191.169.120 127.0.0.1 UGHS 0 0 32972 lo0
208.191.175.254 0:10:67:0:36:52 UHL 1 0 1500 dc0
224/4 127.0.0.1 URS 0 0 32972 lo0
Internet6:
Destination Gateway Flags
Refs Use Mtu Interface
::/104 ::1 UGRS
0 0 32972 lo0 =>
::/96 ::1 UGRS
0 0 32972 lo0
::1 ::1 UH
12 0 32972 lo0
::127.0.0.0/104 ::1 UGRS
0 0 32972 lo0
::224.0.0.0/100 ::1 UGRS
0 0 32972 lo0
::255.0.0.0/104 ::1 UGRS
0 0 32972 lo0
::ffff:0.0.0.0/96 ::1 UGRS
0 0 32972 lo0
2002::/24 ::1 UGRS
0 0 32972 lo0
2002:7f00::/24 ::1 UGRS
0 0 32972 lo0
2002:e000::/20 ::1 UGRS
0 0 32972 lo0
2002:ff00::/24 ::1 UGRS
0 0 32972 lo0
fe80::/10 ::1 UGRS
0 0 32972 lo0
fe80::%rl0/64 link#1 UC
0 0 1500 rl0
fe80::%dc0/64 link#2 UC
0 0 1500 dc0
fe80::%lo0/64 fe80::1%lo0 U
0 0 32972 lo0
fec0::/10 ::1 UGRS
0 0 32972 lo0
ff01::/32 ::1 U
0 0 32972 lo0
ff02::%rl0/32 link#1 UC
0 0 1500 rl0
ff02::%dc0/32 link#2 UC
0 0 1500 dc0
ff02::%lo0/32 fe80::1%lo0 UC
0 0 32972 lo0
Encap:
Source Port Destination Port Proto
SA(Address/SPI/Proto)
server# cat /etc/rc.conf
#!/bin/sh -
#
# $OpenBSD: rc.conf,v 1.46 2000/04/30 23:17:05 ericj Exp $
# set these to "NO" to turn them off. otherwise, they're used as flags
routed_flags=NO # for normal use: "-q"
mrouted_flags=NO # for normal use: "", if activated
# be sure to enable multicast_router below.
rarpd_flags=NO # for normal use: "-a"
bootparamd_flags=NO # for normal use: ""
rbootd_flags=NO # for normal use: ""
sendmail_flags="-q30m" # for normal use: "-bd -q30m"
smtpfwdd_flags=NO # for normal use: "", and no "-bd" above.
named_flags=NO # for normal use: ""
timed_flags=NO # for normal use: ""
photurisd_flags=NO # for normal use: ""
isakmpd_flags=NO # for normal use: ""
mopd_flags=NO # for normal use: "-a"
httpd_flags=NO # for normal use: "" (or "-DSSL" after reading ssl(8))
apmd_flags=NO # for normal use: ""
dhcpd_flags="-q" # for normal use: "-q"
ip6defaultif=NO # for normal use: interface
rtadvd_flags=NO # for normal use: list of interfaces
# be sure to set net.inet6.ip6.forwarding=1
route6d_flags=NO # for normal use: ""
# be sure to set net.inet6.ip6.forwarding=1
rtsold_flags=NO # for normal use: interface
# be sure to set net.inet6.ip6.forwarding=0
# be sure to set net.inet6.ip6.accept_rtadv=1
# Set to NO if ftpd is running out of inetd
ftpd_flags=NO # for non-inetd use: "-D"
# Set to NO if identd is running out of inetd
identd_flags=NO # for non-inetd use: "-b -u nobody -elo"
# On some architectures, you must also disable console getty in /etc/ttys
xdm_flags="" # for normal use: ""
# set the following to "YES" to turn them on
rwhod=NO
nfs_server=NO
nfs_client=NO
lockd=NO
gated=NO
kerberos_server=NO # kerberos server. run 'info kth-krb' for assistance.
kerberos_slave=NO # kerberos slave server.
amd=NO
ipfilter=YES
ipnat=YES # for "YES" ipfilter must also be "YES"
portmap=YES # almost always needed
inetd=YES # almost always needed
lpd=NO # printing daemons
check_quotas=YES # NO may be desireable in some YP environments
sshd=YES # if YES, run sshd
ntpd=YES # run ntpd if it exists
afs=NO # mount and run afs
# Multicast routing configuration
# Please look at /etc/netstart for a detailed description if you change
these
multicast_host=NO # Route all multicast packets to a single interface
multicast_router=NO # A multicast routing daemon will be run, e.g. mrouted
# miscellaneous other flags
# only used if the appropriate server is marked YES above
gated_flags=
ypserv_flags= # E.g. -1 for YP v1, -d for DNS etc
yppasswdd_flags= # "-d /etc/yp" if passwd files are in /etc/yp
nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver
nfsiod_flags="-n 4" # Crank the 4 for a busy NFS client
amd_dir=/tmp_mnt # AMD's mount directory
amd_master=/etc/amd/master # AMD 'master' map
ipfilter_rules=/etc/ipf.rules # Rules for IP packet filtering
ipnat_rules=/etc/ipnat.rules # Rules for Network Address Translation
ipmon_flags=-Ds # To disable logging, use ipmon_flags=NO
syslogd_flags= # add more flags, ie. "-u -a /chroot/dev/log"
named_user=named # Named should not run as root unless neccesary
named_chroot=/var/named # Where to chroot named if not empty
afs_mount_point=/afs # Mountpoint for AFS
afs_device=/dev/xfs0 # Device used by afsd
afsd_flags=-z # Flags passed to afsd
shlib_dirs= # extra directories for ldconfig
local_rcconf="/etc/rc.conf.local"
server# cat /etc/sysctl.conf
# $OpenBSD: sysctl.conf,v 1.16 2000/03/30 06:42:17 angelos Exp $
# This files contains a list of sysctl options the user wants set at
# boot time.
# ie.
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of packets
#net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be
0)
#net.inet.tcp.rfc1323=0 # 0=disable TCP RFC1323 extensions (for if tcp is
slow)
#net.inet.esp.enable=1 # 1=Enable the ESP IPSec protocol
#net.inet.ah.enable=1 # 1=Enable the AH IPSec protocol
#ddb.panic=0 # 0=Do not drop into ddb on a kernel panic
#ddb.console=1 # 1=Permit entry of ddb from the console
#fs.posix.setuid=0 # 0=Traditional BSD chown() semantics
#vm.swapencrypt=1 # 1=Encrypt pages that go to swap
#net.inet.ip.ipsec-acl=0 # 0=disable IPsec ingress ACL checking
machdep.allowaperture=1 # 1=permit access to aperture driver (XFree86)
#machdep.apmwarn=10 # battery % when apm status messages enabled
#machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a nice halt
server# ^D��
Script done on Sat Sep 2 17:02:56 2000
dhcpd.conf
# $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
# Network: 192.168.1.0/255.255.255.0
# Domain name: my.domain
# Name servers: 192.168.1.3 and 192.168.1.5
# Default router: 192.168.1.1
# Addresses: 192.168.1.32 - 192.168.1.127
#
shared-network LOCAL-NET {
option domain-name "g2.org";
option domain-name-servers 192.168.0.1;
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.1;
range 192.168.0.150 192.168.0.253;
}
}