Date: Sun, 31 Aug 1997 21:39:51 +0100 From: Brian Somers <brian@awfulhak.org> To: Russell Vincent <rv@groa.uct.ac.za> Cc: brian@awfulhak.org (Brian Somers), freebsd-questions@FreeBSD.ORG Subject: Re: Problem with packet alias/natd Message-ID: <199708312039.VAA06045@awfulhak.demon.co.uk> In-Reply-To: Your message of "Sat, 31 Aug 1997 19:48:17 %2B0200." <E0x5E6j-00079L-00@groa.uct.ac.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Hmm.
Natd is really designed to sit between a private and a public
network. The private network knows about public network addresses
(and uses the machine that runs natd as a gateway). The public
network (usually the internet) only knows about the gateway box.
Natd is smart enough to then route packets that were *really* sent
from some private machine back to that machine.
The -redirect_address option allows incoming connections from the
public network (the Internet) to get routed directly to a machine on
the private net. However, only the destination address is changed.
When the machine on the private network gets the connection, it sends
stuff back to the real public-network machine, routing through the
gateway. The gateway un-alters the packet so that the public machine
sees it as a connection to the gateway box.
Your setup is with three machines on the same network. Because (as
you've pointed out) the receiving machine (137.158.128.7) knows how
to get back to the sending machine, and does so without going through
the gateway, the sending machine will just drop all of the reply
packets as being garbage.
The only way you'll get this setup to work is to put the source and
destination machines on different networks with the natd machine on a
gateway in between.
I'll bet (at a guess) that this isn't going to suit :(
A simpler solution is to disable port 23 on the 137.158.128.10 machine
in inetd.conf, and write your own program that listens on port 23 and
does smart things based on the source address (ie, spawns a child
that opens a connection to 137.158.128.7 and does the select/read/
write bit between the two), or just spawns a telnetd.
Good luck !
> Brian Somers wrote:
> > > I read that as anything received from host 137.158.128.1 to
> > > 137.158.128.10:23 is diverted to natd, which translates the source
> > > address to 137.158.128.10 (the aliasing machine) and destination
> > > address to 137.158.128.7.
> >
> > Nope. The source address should stay the same. Natd will change the
> > dst address to 137.158.128.7.
>
> Then I am missing something pretty fundamental. :-)
> 137.158.128.1 sends a packet to 137.158.128.10:23, which is
> redirected with source address 137.158.128.1 and dst address
> 137.158.128.7:23. 137.158.128.7 gets the packet and starts
> up a connection to 137.158.128.1, which is not expecting
> to see packets from 137.158.128.7, but 137.158.128.10, so
> it will ignore them. Surely that won't work (well, I
> can't get it to work :-) )?
>
> > Did you really leave out the ``-'' above (before redirect_address) ?
> > I would suggest that this is the problem :-)
>
> Ack - I did leave it out in my test! That explains the anomoly
> I had between using -a and -n.
>
> > I can see wrong with your setup is that you're not passing return
> > traffic to natd:
> >
> > ipfw a 89 divert 8888 tcp from 137.158.128.10 23 to 137.158.128.1
>
> Ok, added that now, but I still have the problem with the source
> address being incorrect when it arrives at 137.158.128.7.
>
> I now have:
> ipfw:
> 00088 divert 8888 tcp from 137.158.128.1 to 137.158.128.10 23
> 00089 divert 8888 tcp from 137.158.128.10 23 to 137.158.128.1
>
> # natd -v -p 8888 -a 137.158.128.10 -redirect_address 137.158.128.7 0.0.0.0
>
> and get:
>
> In [TCP] 137.158.128.1:2095 -> 137.158.128.10:23 aliased to
> 137.158.128.1:2095 -> 137.158.128.7:23
>
> The packets are getting to 137.158.128.7, which sends the
> response to 137.158.128.1, which in turn is not expecting
> them from that host.
>
> > Are you using the latest version of natd ? Version 1.5 is on Ari's
> > site (ftp.suutari.iki.fi) or on mine (www.awfulhak.org). It's also
> > in RELENG_2_2 & -current.
>
> I am running a -current of a few days ago.
>
> -Russell
>
--
Brian <brian@awfulhak.org>, <brian@freebsd.org>
<http://www.awfulhak.org>;
Don't _EVER_ lose your sense of humour....
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199708312039.VAA06045>