Subject: Re: Does IPNAT rdr work?
To: None <mason@acheron.middleboro.ma.us>
From: Ian Dall <Ian.Dall@dsto.defence.gov.au>
List: current-users
Date: 05/12/1998 10:29:33
Mason Loring Bliss <mason@acheron.middleboro.ma.us> writes:
> On Mon, May 11, 1998 at 10:37:11PM +0930, Ian Dall wrote:
>> I have a headless machine as a gateway and I wish to redirect X traffic
>> to an Xterm (well a Sun3 with Xkernel).
> rdr *does* work - I'm using it with our IPNAT in my current setup. I'm
> not sure why your setup is failing... The only real difference I see in
> our setups is what I'm saying to redirect.
> Yours:
>> rdr ppp0 131.185.44.51/32 port X0 -> 10.0.0.2 port X0
>> rdr lo0 127.0.0.1/32 port X0 -> 10.0.0.2 port X0
>> rdr lo0 10.0.0.1/32 port X0 -> 10.0.0.2 port X0
> Mine:
> map ppp0 10.0.0.0/24 -> 0.0.0.0/32 portmap tcp/udp 10000:65000
> map ppp0 10.0.0.0/24 -> 0.0.0.0/32
> rdr ppp0 0.0.0.0/0 port www -> 10.0.0.5 port www
> Do you need to redirect your loopback, incidentally? I don't see how that
> could cause problems, though.
Well, I've tried this with and without the loopback. However, connecting
to 10.0.0.1:6000 or 127.0.0.1:6000 on the gateway behaves just like connecting
to 131.185.44.51:6000 from off site.
> Maybe you could try cutting down what you're doing? Try an rdr line like
> mine, for instance, without the loopback lines and without specifying a
> particular address.
I suppose it is possible that the 0.0.0.0/0 matches whereas the
specific host doesn't. But in that case I would expect that I would be
failing to connect.
> Wait... Doh! You're not doing any mapping! Your redirect filter is going
> to pass stuff through, but without mapping your inside machine can't reply -
> at least, that's my understanding. Does that seem to apply here?
I had that idea too, but it didn't make any difference. I guess I am
thinking of a stream connection model for X. I think the xterm should
just be sending packets back with the source and destination address
and port number reversed and that the redirection of packets should be
two way. The second way would be established at connection time (because
you don't know the source port number until then). Now a udp protocol
would be another thing.
I freely admit, however, that my understanding of all this is hazy.
Regardless, I think that running tcpdump should have discovered packets going
out on the local network.
> Tell me how it goes! If my concepts aren't confused, then adding in the
> map rule(s) will fix you.
I'll try that again. Maybe when I tried that map line it was back before I had
some other things right.
I'll also try the "wildcard" left hand address. In this set up, that should do
the right thing (although I think you should be able to specify a specific
address). I guess the fact that the only example anywhere uses this
"wildcard" address might be a clue!
Thanks for the suggestions.
Ian