tech-net: Re: ipnat and netmask

Subject: Re: ipnat and netmask
To: Quentin Garnier <cube@cubidou.net>
From: Patrick Welche <prlw1@newn.cam.ac.uk>
List: tech-net
Date: 08/29/2005 14:41:11

On Mon, Aug 29, 2005 at 03:24:13PM +0200, Quentin Garnier wrote:
> On Mon, Aug 29, 2005 at 02:21:37PM +0100, Patrick Welche wrote:
> > >From ipnat -l, I have
> > 
> > map ex1 192.168.0.0/24 -> x.y.z.1/32 proxy port ftp ftp/tcp
> > map ex1 192.168.0.0/24 -> x.y.z.1/32 portmap tcp/udp 10000:65000
> > map ex1 192.168.0.0/24 -> x.y.z.1/32
> > bimap ex1 192.168.0.180/32 -> x.y.z.180/32 proxy port ftp ftp/tcp
> > 
> > yet, when I ssh out from 192.168.200.180, finger prlw1 tells me I am
> > connecting from x.y.z.1 rather than x.y.z.180.
> > 
> > According to the rules /32 should take precedence over /24, so what is
> > wrong?
> 
> Nothing.  ipnat works in a "first-match" way, contrary to ipf.

That's what I thought, but I had the bimap in first position and saw that
finger claimed I was coming from the mapped rather than the bimapped
address, so I found some documentation:

http://www.phildev.net/ipf/IPFprob.html#prob16

   16. I'm having problems with ipnat (e.g. can't get proxies to work
       with bimap, or some other problem).

     When troubleshooting problems with ipnat remember that rules are
     process by network size. So a /32 rule will always be applied
     before a /24 rule, etc. Therefore a ruleset like:
...

which then leads to the above question...

Patrick