NAT using iproute2

[Martin]

Hi,

I just get started using the iproute2 package instead of the good old
ifconfig/route/arp commands, because I
need the policy based routing funcionality. Standard IP and route
configuration works out pretty good so far, but I'm getting problems
enabling stateless NAT. The command

# ip route add nat 192.168.50.2 via 192.168.60.2

and

# ip rule add nat 192.168.50.2 from 192.168.60.2

should do the job both SNAT and DNAT but already the first command
throws the error

RTNETLINK answers: Invalid argument

ip-cref.pdf says, this command should work. Do you have any ideas
what's the problem.

Thanks,
Martin

[Pascal Hambourg]

Hello,

Martin a ï¿œcrit :

>
> I just get started using the iproute2 package instead of the good old
> ifconfig/route/arp commands, because I
> need the policy based routing funcionality. Standard IP and route
> configuration works out pretty good so far, but I'm getting problems
> enabling stateless NAT. The command
>
> # ip route add nat 192.168.50.2 via 192.168.60.2
>
> and
>
> # ip rule add nat 192.168.50.2 from 192.168.60.2
>
> should do the job both SNAT and DNAT but already the first command
> throws the error
>
> RTNETLINK answers: Invalid argument

"Routing NAT" (CONFIG_IP_ROUTE_NAT) controlled by ip rule/ip route has
been deprecated for quite a long time now in 2.6 kernels. It was
replaced in kernel 2.6.24 and above by a new stateful NAT controlled by
tc in recent versions of the iproute2 package (at least 2-2.6.24).

[Martin Bley]

Hi Pascal,

Pascal Hambourg <boite-...@plouf.fr.eu.org> schrieb:

> "Routing NAT" (CONFIG_IP_ROUTE_NAT) controlled by ip rule/ip route has
> been deprecated for quite a long time now in 2.6 kernels. It was
> replaced in kernel 2.6.24 and above by a new stateful NAT controlled by
> tc in recent versions of the iproute2 package (at least 2-2.6.24).

thanks a lot for this info - I guessed that somehow.

Regards,
Martin

[Pascal Hambourg]

Pascal Hambourg a ï¿œcrit :

>
> "Routing NAT" (CONFIG_IP_ROUTE_NAT) controlled by ip rule/ip route has
> been deprecated for quite a long time now in 2.6 kernels. It was
> replaced in kernel 2.6.24 and above by a new stateful NAT controlled by
> tc in recent versions of the iproute2 package (at least 2-2.6.24).

Oops. I meant stateless, not stateful. Stateful NAT is the one performed
by netfilter.

[Pascal Hambourg]

Dave {Reply Address In.Sig} a ï¿œcrit :

> Pascal Hambourg wrote:
>>
>> "Routing NAT" (CONFIG_IP_ROUTE_NAT) controlled by ip rule/ip route has
>> been deprecated for quite a long time now in 2.6 kernels. It was

>> replaced in kernel 2.6.24 and above by a new stateless NAT controlled

>> by tc in recent versions of the iproute2 package (at least 2-2.6.24).
>

> Is there a good HOWTO or other reading on the new stuff then?

I don't know. Maybe in the iproute2 package documentation or tc manpage.

> I wasn't aware
> the older stuff was deprecated because it's been working fine here.

What kind of kernel are you using ? It was removed from the 2.6 kernel
in version 2.6.9, which is quite old (2004). It is still supported (and
broken) in the current 2.4 kernel though.

[Pascal Hambourg]

Dave {Reply Address In.Sig} a ï¿œcrit :
>>

>>> I wasn't aware
>>> the older stuff was deprecated because it's been working fine here.
>>
>> What kind of kernel are you using ? It was removed from the 2.6 kernel
>> in version 2.6.9, which is quite old (2004). It is still supported (and
>> broken) in the current 2.4 kernel though.
>

> Maybe I'm misunderstanding and mixing up what I thought was iproute2, but my
> Fedora 10 machine has iproute-2.6.27-2.fc10.i386 in its installed RPM
> database. My router machine, which is where the stuff is being used for
> real, load-sharing between a couple of internet feeds, is running 2.6.20
> kernel.

If your router machine does NAT, it is probably the *stateful* NAT from
netfilter controlled by iptables.