netbsd-help: Re: IPNAT

Subject: Re: IPNAT
To: hysteriaweb <hysteriaweb@charter.net>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: netbsd-help
Date: 02/01/2002 21:43:14
On Thu, Jan 31, 2002 at 08:37:54PM -0500, hysteriaweb wrote:
> this is a strange one, there is something I am missing 
> here.
> 
> I have a NetBSD box running 1.5.2, I now have an open door 
> firewall.
> 
> I am running IPNAT, atytached is my conf file.
> 
> I have a dial up modem and a cable modem and right now I 
> just want to use the dial up modem to get in from the 
> outside.
> 
> So I set up a bimap from the static ip to the local 
> network ip (see the first rule)
> 
> Now I can ping and I can see it working but when I try to 
> ssh I can't get through.
> 
> I can monitor the ppp0 interface using tcpdump and I see 
> the packets going in! But nothing works.
> 
> Can anyone explain this? do I have to do anything more 
> with the bimap to make it work with ssh, I don't want to 
> specify any port or protocols for it. I want anything to 
> work through it.
> 
> If you can help me out here or even tell me how to get 
> more troubleshopoting information that would be great.
> 
> Please email any responses back to me if at all possible.
> 
> Thanks
> 
> Jon

> # /etc/ipnat.conf
> 
> bimap ppp0 192.168.1.1/32 -> 216.127.193.160/32
> 
> map tlp1 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
> map tlp1 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
> map tlp1 192.168.1.0/24 -> 0/32
> 
> #I only want the clients to use the cable modem as the connection
> map ppp0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
> map ppp0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
> map ppp0 192.168.1.0/24 -> 0/32

Why is this here ? If you want the clients to use ppp0 you should not have
map on ppp0
> 
> #map ppp0 216.127.193.160/32 -> 192.168.1.1/32
> #rdr ppp0 192.168.1.0/24 port 25 -> 216.127.193.160 port 25
> 
> rdr ppp0 216.127.193.160/32 port 80 -> 192.168.1.4 port 80 tcp
> rdr ppp0 216.127.193.160/32 port 21 -> 192.168.1.4 port 21 tcp

I think these last 2 conflicts with the bimap.

Now there may be an issue with the default route. You have a default
route to the cable modem, rigth ? So the packets from 192.168.1.1
will be routed to the cable modem, and mapped to tlp1's IP (because it
is routed though tlp1)

You may want to try (assuming tlp0 is your internal interface)
pass in quick on tlp0 to tlp1 from 192.168.1.1 to any
in /etc/ipf.conf

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
--