REPOST: PLEASE HELP..Routing an IP adress from a NATted interface..

Tue Aug 24 18:32:50 UTC 2004

On Mon, 2004-08-23 at 03:06, John A. Sullivan III wrote:
> On Sun, 2004-08-22 at 02:28, Sanjay Arora wrote:
> > Hi all
> > 
> > My small cable ISP has a Linux box which is supposed to route my ip
> > addtress. Normally, he is issuing private space ips in address range
> > 172.16.x.x. I have asked for a live IP and he has issued one,
> > 202.x.x.139.
> > 
> > The problem is that he has other IP addresses on the same interface,
> > which are NATted to provide connectivity to 172.16.x.x. So when I get a
> > web request, my server logs 202.x.x.137 as the source IP, which is
> > actually my gateway on the ISP machine.
> > 
> > On the other hand when I send mail, my source ip from the other end
> > looks to be 202.x.x.130, which is again the ISPs IP.
> > 
> > It seems that despite being issued a live IP, my IP is being proxied
> > somehow or the source address is being mangled. The ISP does not seem to
> > have the expertise to route the IP properly ;-) and has told me either
> > to accept it, to tell him how is he supposed to do it or go back to
> > 172.16.x.x address.
> > 
> > I myself am a ipfilter newbie. Can someone tell me how an IP is routed
> > on an interface which is providing NAT services on a second IP. Pointers
> > to resources for further reading on issues involved and any similar
> > scripts/samples will be greatly appreciated. (My ISP seems to talk about
> > pre-routing a lot....does not really tell exactly how he is pre-routing
> > the packets for my IP).
> > 
> > With best regards.
> > Sanjay.
> It's a little difficult to tell what's going on from the information you
> supply.  Perhaps a little ASCII network diagram would help.  Are your
> internal devices on the same network as the Cable modem internal
> interface? Is 202.x.x.137 the address on the internal or external cable
> modem interface?  I am guessing that your set up is:
> 
>          ________________________
>          | Cable provider network|
>          |_______________________|
>                      |
>                      |
>          ______________________________
>          |     202.x.x.137 + others    |
>          |         Cable Modem         |
>          |     172.16.x.x              |
>          |_____________________________|
>                      |
>                      |
>          ______________________________
>          |      Your internal network  |
>          |      172.16.x.x/24          |
>          |_____________________________|
>             |                  |
>             |                  |
> ________________       ___________________
> |Web server     |      | Mail Server      |
> |172.16.x.a     |      | 172.16.x.b       |
> |NAT to         |      | NAT to           |
> |202.x.x.139    |      | 202.x.x.139      |
> |_______________|      |__________________|
> 
> Is this correct? The Cable modem needs to DNAT traffic to
> 202.x.x.139:http to 172.16.x.a, SNAT traffic from 172.16.x.a:http to
> 202.x.x.139, DNAT traffic to 202.x.x.139:pop3,imap,etc. to 172.16.x.b
> and SNAT traffic from 172.16.x.b:pop3,imap,etc. to 202.x.x.139.  Is this
> correct?
> If so, DNAT is handled in the PREROUTING chain of the nat table and SNAT
> is handled in the POSTROUTING chain of the nat table.  Oskar
> Andreasson's tutorial has some excellent explanations of how this
> works.  You can find it at
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> There are also some slide shows regarding iptables and related
> technologies in the training section on http://iscs.sourceforge.net
> Hope this is what you were looking for - John

My Setup:                        /                  /
         FIREWALL MACHINE       /                  /
|--------------------------------------------------------------------|
| 202.164.39.139         192.168.200.1        192.168.100.1          |
|Firewall GW             Green Subnet         DMZ Subnet             |
|____________________________________________________________________|
       |
       |
       |
|--------------------------------------------------------------------|
| 202.164.39.137                           202.164.39.130            |
| My GW on ISP linux                       202.164.39.129            |
|machine                                   other IPs in the block    |
| 172.16.0.1                               allotted to my ISP        |
| GW to users who use                      from upstream provider    |
|172.16.0.x addresses                      I think they are all on   |
| I think both these GW IPs                same outgoing interface   |
| end up on the same interface             connecting the ISP to     |
| because of being on the                  upstream provider         |
| same switch to GW...but not                       |                |
| sure                                              |                |
|--------------------------------------------------------------------|
                                                    |
                                                    |
                                            Packets originating from the
IP 172.16.0.1 are NATed and flow through 202.164.39.130.

In my case however, SMTP packets originating from my GW 202.164.39.137
(on the ISP machine) look to be originating from 202.164.39.130.

On the other hand, http packets landing on my IP, all have a source
address of 202.164.39.137

Also, the IPs being logged on my firewall machine (ipcop) seem to have
correct source addresses...e.g. the portscans or the Worm Propogation
attempts. The Revrese DNS lookups being made to port 53 of my IP also
seem to have correct IP addresses when they are blocked by my iptables
firewall, as I have not registered a domain or setup a DNS.

Problem is figuring out what is happening, as the ISP is not telling his
configuration. I guess he figures its better to lose the only customer
requiring live IP than, let go of his security through obscurity ;-)

Thanks for the link, I will check it out.

Best regards.
Sanjay.