RE: How does arp work with NAT?
Riley Williams (Fabian.Frederick@prov-liege.be)
Wed, 25 Aug 1999 10:20:40 +0200
-> Hi all,
->
-> I have a linux "firewall" with two ip addresses (the actual
-> addresses not shown):
->
-> eth0 133.20.12.67
-> eth0:0 133.20.12.68
->
-> A host on the inside, 192.168.71.33, is NAT'ed to the outside:
->
-> [root@fd_router /]# ip rule
-> 0: from all lookup local
-> 32020: from 192.168.71.33 lookup 3
-> 32025: from 192.168.71.33 lookup main map-to 133.20.12.68
-> 32766: from all lookup main
-> 32767: from all lookup 253
->
-> [root@fd_router /]# ipchains -L
-> <snip>
-> Chain forward (policy DENY):
-> target prot opt source destination
-> ports
-> ACCEPT all ------ anywhere 192.168.71.33
-> n/a
-> ACCEPT all ------ 133.20.12.68 anywhere
-> n/a
-> MASQ all ------ 192.168.71.0/24 anywhere
-> n/a
-> <snip>
->
-> Now, how is arp requsets handled? A tcpdump of a request to
-> a DNS server, .85, and the following
-> arp requets for the target host, .20:
->
-> 0:60:97:15:41:48 0:50:4:31:cd:87 0800 79: 133.20.12.68.2605
-> > 133.20.12.85.53: 1+ (37)
-> 0:50:4:31:cd:87 0:60:97:15:41:48 0800 182: 133.20.12.85.53 >
-> 133.20.12.68.2605: 1 1/2/2 (140)
-> 0:60:97:15:41:48 ff:ff:ff:ff:ff:ff 0806 60: arp who-has
-> 133.20.12.20 tell 133.20.12.67
->
-> ^^
-> 0:8:c7:33:ae:43 0:60:97:15:41:48 0806 60: arp reply
-> 133.20.12.20 is-at 0:8:c7:33:ae:43
->
-> It seems that the arp "source address" isn't NAT'ed. Is it
-> supposed to be, or isn't things
-> designed that way?
->
AFAIK, Masquerading won't be _used_ in this case as your .85
is on the same /24 as .20 ... Maybe you should check from
the outside to check ARP frames as well.
NAT should react differently in _that_ case (with MASQ map).
Fabian
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/