From owner-freebsd-hackers Wed Jan 29 16:21:19 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id QAA02282 for hackers-outgoing; Wed, 29 Jan 1997 16:21:19 -0800 (PST) Received: from awfulhak.demon.co.uk (awfulhak.demon.co.uk [158.152.17.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA02277 for ; Wed, 29 Jan 1997 16:21:08 -0800 (PST) Received: from awfulhak.demon.co.uk (localhost.coverform.lan [127.0.0.1]) by awfulhak.demon.co.uk (8.8.4/8.7.3) with ESMTP id AAA15020; Thu, 30 Jan 1997 00:11:56 GMT Message-Id: <199701300011.AAA15020@awfulhak.demon.co.uk> X-Mailer: exmh version 1.6.9 8/22/96 To: Archie Cobbs cc: terry@lambert.org, ari.suutari@ps.carel.fi, hackers@freebsd.org, cmott@srv.net Subject: Re: ipdivert & masqd In-reply-to: Your message of "Wed, 29 Jan 1997 15:47:14 PST." <199701292347.PAA25117@bubba.whistle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 30 Jan 1997 00:11:56 +0000 From: Brian Somers Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > Not exactly - on my machine, there are two problems (3.0-current). The > > machine that's doing the masquerading is 10.0.1.254. > > > > 1. When I do a tcp setup from 10.0.1.254 to 10.0.1.1, the packet goes out > > ok, 10.0.1.1 receives it and replies (netstat shows ESTABLISHED). > > Masqd/natd receives the packet, fixes it and re-injects it.... then, > > all of a sudden, nothing happens. After a long wait, nothing continues > > to happen :( It's as if the ip_sum is wrong, but I don't believe that > > yet as it works ok when there are two divert sockets involved. > > > > 2. When a ping is sent from 10.0.1.1 to 10.0.1.254, the incoming icmp > > packet is picked up by masqd/natd, fondled and re-injected. That's > > *all* that masqd/natd sees. However, 10.0.1.1 gets an ICMP reply. > > Hmmm.. a couple of questions, trying to understand the setup. Sorry if > this is starting to get tiring... :-) > > - What is your network topology (ASCII art if possible)? That is, > what IP interfaces are on what networks with what addresses assigned? > > - What are the ipfw rules that are installed on the diverting machine? > > - Why are any packets having their IP addresses remapped if the two > machines (at 10.0.1.254 and 10.0.1.1) are on the same subnet? > > Also, if netstat shows ESTABLISHED (on either end), then at least > one packet must have successfully made it across in both directions, > due to the TCP handshaking involved in getting to that state. > > Thanks, > -Archie I've essentially got the following: ---------------- ---------------------- | 10.0.10.2 |------------------| 10.0.10.1 | ---------------- | | | 10.0.1.254 (ed0) | ---------------------- | | ----------------- | | 10.0.1.1 |--------------------------- ----------------- with a mask of ffffff00 everywhere and the machine in the middle using the following: ipfw add 100 divert 6668 all from any to any via ed0 The masqd/natd programs then pick up all packets and call the packet aliasing code. *All* packets get mangled so that there are no real/alias port conflicts - that is, an outgoing packet to 10.0.1.1:21 from 10.0.1.254:1025 cannot keep the 1025 port because it may conflict with an already existing "alias" port - making it impossible to figure out what to do with the returning 10.0.1.254:1025 packet. Instead, all packets have their source port changed to an alias port on the way out, and changed back to what it should be on the way back in. A table is maintained, mapping alias ports to real IP/port pairs. Needless to say, the "point" behind this is to have the 10.0.10.0/24 network connected to the 10.0.1.1/24 network through the 10.0.1.254 IP. The problems with the 10.0.1.254 machine itself are a bit of a shame because that's the machine that didn't need to do anything special in the first place :) -- Brian , Don't _EVER_ lose your sense of humour....