Board index Linux Networking

One to One NAT query

One to One NAT query

Post by Josh Howlet » Fri, 07 May 2004 20:32:34



I am trying to do something a bit unusual :-). I hope someone
can help.

I have a Linux NAS that terminates PPP sessions. When the PPP
session is connected, the PPP users are required to start a
VPN session to a VPN server.

The VPN protocol is PPTP.

    <-----------VPN---------->
    <---PPP---->
User ---------- NAS -----+---- VPN server A
                         |
                         +---- VPN server B
                         |
                         \---- VPN server C

I have multiple VPN servers (A, B and C), and I want to be
able to control where the user's VPN gets terminated.

For example, one day I might want to terminate user Joe's
VPN session on server B; another day, I might want to
terminate it on server C.

I also didn't want this to be reliant on the user changing
the IP address of the destination VPN server. So, regardless
of what IP address the user uses, the VPN always goes to the
right VPN server.

I thought I might do this by using one-to-one NAT on the NAS.

iptables -t nat -A PREROUTING -i ppp0 -j DNAT --to <IP of VPN>
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to <IP of VPN>

...where "IP of VPN" is the address of the VPN that I want to
direct the user's VPN session to.

However, this doesn't seem to work. This is an abbreviated
version of what I see (the user has dialed in and been
allocated 172.16.42.7; the user then attempts to VPN to
1.2.3.4, which I NAT to the desired address (XXX)):

Src             Dst             Proto   Info

172.16.42.7     1.2.3.4         TCP     1659 > pptp [SYN]
1.2.3.4         172.16.42.7     TCP     pptp > 1659 [SYN, ACK]
172.16.42.7     1.2.3.4         PPTP    Start-Control-Connection-Request

So far so good; the PPTP TCP control channel is correctly
NATed. However, I think get:

XXX             172.16.42.7     PPP LCP Configuration request
172.16.42.7     XXX             PPP LCP Configuration request
XXX             172.16.42.7     PPP LCP Configuration request
172.16.42.7     XXX             PPP LCP Configuration request
etc...

(These are encapsulated in the PPTP session's GRE data channel).

The PPP LCP packets does not appear to get NATed! Instead, the REAL
IP of the VPN server is stamped on the packets. LCP negotiation
times out, presumably because the VPN client simply drops the
packets as it doesn't recognise the source address.

So... why are the GRE packets not getting NATed on the NAS?

josh.

--
------------------------------------------------------------
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.

------------------------------------------------------------

 
 
 
Top

1. How to do one to one NAT?

How can I make one to one NAT by ipchains?

I have three domain names which map into three ture IP, for example:

   mail.abc.com  -----> 11.1.1.1
   mail.xyz.com  -----> 11.1.1.2
   mail.ddd.com  -----> 11.1.1.3

how can I make it map into three false IP, for example

    11.1.1.1  ----> 192.168.1.5
    11.1.1.2  ----> 192.168.1.6
    11.1.1.3  ----> 192.168.1.7

2. help help please!!!

3. One to one Nat

4. function call to get process name

5. One-to-One NAT help

6. how to copy and paste a range of paragraphs to a new file in vi

7. One easy, one less so, one not quite so.....

8. Conner 8000 SCSI DAT tape problem

9. apache, day one, hour one, minute one, local write permission !?!?!?!?

10. With regard to PHP, how does one get query and posted variables?

11. How does one put an echo command within a search/replace query?

12. one more query regarding execl

13. thanks Donovan but i have one more query


All times are UTC
Board index