RE: [Fwbuilder-discussion] NAT Problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

> Russell,
>=20
> first of all, you did not mention what firewall platform you are
using.

Oops, sorry! Its Linux 2.4, iptables 1.2.9

> I can suggest a few things you could do to clean it up:
>=20
> > In my lab I have two "public" IP addresses - 217.33.42.210 and
> > 217.33.42.211 - so I've configured eth0 thusly:
> >
> > "Interface is external" is ticked
> > Address 1 : 217.33.42.210 / 255.255.255.255
> > Address 2 : 217.33.42.211 / 255.255.255.255
> >
>=20
> you should use real netmask there, the same one as you used to
> configure interface on the firewall.
>=20
> I assume "Address 1" and "Address 2" are 'address' objects in the
> firewall object in the GUI, right ?

Yup. I'd tried the real netmask before but had no joy. I've set it back
now; so the interface is:

External
  |
  +-------fw:Address1(ip) 217.33.42.210/255.255.255.240
  +-------fw:Address2(ip) 217.33.42.211/255.255.255.240
  +-------fw:eth0(MAC)=20

> > I have 2 PC's on the internal network - 192.168.1.2 and 192.168.1.3,
so
> > I have eth1 like this:

Internal
  |
  +-------fw:Internal(ip) 192.168.1.0/255.255.255.0
  +-------fw:eth1(MAC)

And 2 hosts:

Hosts
 |
 +-Host a
 | +---- 192.168.1.2 / 255.255.255.255
 |
 +-Host b
   +---- 192.168.1.3 / 255.255.255.255

> > For the global policy I have
> >
> > Source Host a, Dest firewall, accept all
> > Source any, dest Host a, accept all
> > Source any, dest Host b, accept all
> > Source Any, any, deny , all

I also now have above the deny rule:

Source fw, dest any, accept all.

> >
> > For NAT I have
> >
> source any, orig dest 'Address 2', translated dest Host a
>=20
> > On the firewall itself I can access host a using either 192.168.1.3
or
> > 217.33.42.211. Great.
> >
> > On an external system I can't access 217.33.42.211 at all.
> >
> > tcpdump sees packets come in on eth0 (the external interface), but
> > nothing on eth1 (the internal interface).
> >
>=20
> did you enable ip forwarding ? There is a checkbox for it in the
> "Network" tab.

Packet Forwarding is set to "On"

>=20
> Is there anything in the log ?

Not a thing when I try to access either 217.33.42.211 or 217.33.42.210.

>=20
> > I have "add virtual addresses for NAT" selected.
> >
>=20
> you do not need this one since address 217.33.42.211 is already
> configured as a second IP address on the firewall's interface in the
> GUI.

This is now un-checked.

>=20
> --vk
>=20
> > What am I missing, or what have I done wrong? :s
> >

I have also just upgraded from fwbuilder 1.1.0 to 1.1.2, just in case,
but still the same problem: If the external pc pings 217.33.42.210 then
tcpdump on the firewall sees the icmp echo request from the external pc,
but sends no reply. The same thing happens with the external pc pinging
217.33.42.211. The tcpdump for eth1 shows nothing. The other way round
is fine - both internal machines can ping the external machine.

I tried adding a global rule:

Src any, dest Address1/Address2; Srvc all, accept.

I could then ping both 217.33.42.210 and .211 but of course there was
still no NAT going on, it was just the external interface responding.

As I was (almost) on a roll, I switched the "any, any, deny" rule to
"any, any, accept, log" instead. Interestingly enough the interface(s)
no longer responded (and nothing was logged).

I thought it was about time to switch things the other way around, so I
added a couple of NAT rules to allow "host a" and "host b" access to the
external PC. No problems, all worked a treat. "Host a" got translated as
address2, "host b" as address1.

Has to be something fundamental / easy I'm overlooking here...