* DNATing back to the same network
@ 2005-01-13 14:42 danci
2005-01-13 15:35 ` Charlie Brady
2005-01-13 15:56 ` Samuel Jean
0 siblings, 2 replies; 8+ messages in thread
From: danci @ 2005-01-13 14:42 UTC (permalink / raw)
To: netfilter
Hi!
I have a firewall with a number of DNAT rules for various ports/hosts. It
would be good if local users could use the same DNAT's. However, as it
seems this doesn't work.
My firewall has a public IP. Some ports on this IP are DNATed to different
hosts on the local network. DNAT works for users that connect from the
internet.
However, when a local users tries to connect to the public IP and DNATed
port, the connection fails. Which is basically logical as the server
receives a packet with the source IP of the actual user and it answeres
directly to that IP.
Is it possible to change netfilter behaviour? Any other work-around for
that?
Thanks, Danilo
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DNATing back to the same network
2005-01-13 14:42 danci
@ 2005-01-13 15:35 ` Charlie Brady
2005-01-13 15:56 ` Samuel Jean
1 sibling, 0 replies; 8+ messages in thread
From: Charlie Brady @ 2005-01-13 15:35 UTC (permalink / raw)
To: danci; +Cc: netfilter
On Thu, 13 Jan 2005 danci@agenda.si wrote:
> I have a firewall with a number of DNAT rules for various ports/hosts. It
> would be good if local users could use the same DNAT's. However, as it
> seems this doesn't work.
>
> My firewall has a public IP. Some ports on this IP are DNATed to different
> hosts on the local network. DNAT works for users that connect from the
> internet.
>
> However, when a local users tries to connect to the public IP and DNATed
> port, the connection fails. Which is basically logical as the server
> receives a packet with the source IP of the actual user and it answeres
> directly to that IP.
>
> Is it possible to change netfilter behaviour? Any other work-around for
> that?
Set up split horizon DNS so that the internal clients go direct to the
internal IP, rather than to the public IP.
---
Charlie
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DNATing back to the same network
2005-01-13 14:42 danci
2005-01-13 15:35 ` Charlie Brady
@ 2005-01-13 15:56 ` Samuel Jean
2005-02-17 17:31 ` Mohammad Khan
1 sibling, 1 reply; 8+ messages in thread
From: Samuel Jean @ 2005-01-13 15:56 UTC (permalink / raw)
To: danci; +Cc: netfilter
On Thu, January 13, 2005 9:42 am, danci@agenda.si said:
> Hi!
Hi Danilo!
> [...]
> Is it possible to change netfilter behaviour? Any other work-around for
> that?
http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-10.html
>
> Thanks, Danilo
HTH,
Samuel
^ permalink raw reply [flat|nested] 8+ messages in thread
* DNATing back to the same network
[not found] <20050113165624.C0BFA5F67@mail.microtechniques.com>
@ 2005-01-13 19:26 ` Don Hughes
2005-01-13 20:17 ` danci
0 siblings, 1 reply; 8+ messages in thread
From: Don Hughes @ 2005-01-13 19:26 UTC (permalink / raw)
To: netfilter
> Message: 1
> Date: Thu, 13 Jan 2005 15:42:33 +0100 (CET)
> From: danci@agenda.si
> Subject: DNATing back to the same network
> To: netfilter@lists.netfilter.org
> Message-ID: <Pine.LNX.4.58.0501131538030.16403@desktop.agenda.si>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> Hi!
>
> I have a firewall with a number of DNAT rules for various ports/hosts.
> It would be good if local users could use the same DNAT's. However, as
> it seems this doesn't work.
>
> My firewall has a public IP. Some ports on this IP are DNATed to
> different hosts on the local network. DNAT works for users that
> connect from the internet.
>
> However, when a local users tries to connect to the public IP and
> DNATed port, the connection fails. Which is basically logical as the
> server receives a packet with the source IP of the actual user and it
> answeres directly to that IP.
>
> Is it possible to change netfilter behaviour? Any other work-around
> for that?
>
I have a POSTROUTING rule for any internal traffic to SNAT it so
that it returns back to the router instead of directly to the
user.
--
..don
dhughes@microtechniques.com
White Plains, NY
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DNATing back to the same network
2005-01-13 19:26 ` DNATing back to the same network Don Hughes
@ 2005-01-13 20:17 ` danci
2005-01-13 22:49 ` Charlie Brady
0 siblings, 1 reply; 8+ messages in thread
From: danci @ 2005-01-13 20:17 UTC (permalink / raw)
To: Don Hughes; +Cc: netfilter
On Thu, 13 Jan 2005, Don Hughes wrote:
> I have a POSTROUTING rule for any internal traffic to SNAT it so
> that it returns back to the router instead of directly to the
> user.
That's exactly what I did a few minutes ago! :)
Are there any other implications this SNAT rule could add?
Thanks, Danilo
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DNATing back to the same network
2005-01-13 20:17 ` danci
@ 2005-01-13 22:49 ` Charlie Brady
0 siblings, 0 replies; 8+ messages in thread
From: Charlie Brady @ 2005-01-13 22:49 UTC (permalink / raw)
To: danci; +Cc: Don Hughes, netfilter
On Thu, 13 Jan 2005 danci@agenda.si wrote:
> On Thu, 13 Jan 2005, Don Hughes wrote:
>
> > I have a POSTROUTING rule for any internal traffic to SNAT it so
> > that it returns back to the router instead of directly to the
> > user.
>
> That's exactly what I did a few minutes ago! :)
>
> Are there any other implications this SNAT rule could add?
Yes, your router will be blamed for any attacks on the server which
originate inside the LAN. You likely won't have any logs to refute such
claims.
---
Charlie
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DNATing back to the same network
@ 2005-02-09 8:43 Ian! D. Allen
0 siblings, 0 replies; 8+ messages in thread
From: Ian! D. Allen @ 2005-02-09 8:43 UTC (permalink / raw)
To: netfilter
>However, when a local users tries to connect to the public IP and DNATed
>port, the connection fails. Which is basically logical as the server
>receives a packet with the source IP of the actual user and it answeres
>directly to that IP. Is it possible to change netfilter behaviour? Any
>other work-around for that?
As Samuel noted, that is described here:
http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-10.html
and I elaborate on it here:
http://idallen.com/dnat.txt
--
-IAN! Ian! D. Allen Ottawa, Ontario, Canada
EMail: idallen@idallen.ca WWW: http://www.idallen.com/
College professor (Linux) via: http://teaching.idallen.com/
Support free and open public digital rights: http://eff.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DNATing back to the same network
2005-01-13 15:56 ` Samuel Jean
@ 2005-02-17 17:31 ` Mohammad Khan
0 siblings, 0 replies; 8+ messages in thread
From: Mohammad Khan @ 2005-02-17 17:31 UTC (permalink / raw)
To: Samuel Jean, netfilter
On Thu, 2005-01-13 at 10:56, Samuel Jean wrote:
> On Thu, January 13, 2005 9:42 am, danci@agenda.si said:
> > Hi!
>
> Hi Danilo!
>
> > [...]
> > Is it possible to change netfilter behaviour? Any other work-around for
> > that?
>
> http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-10.html
>
> >
> > Thanks, Danilo
>
> HTH,
>
> Samuel
>
I had the same issue.
Thanks for posting the documentation link.
MOhammad
--
"Mad cow? You'd be mad too, if someone was trying to eat you."
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2005-02-17 17:31 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20050113165624.C0BFA5F67@mail.microtechniques.com>
2005-01-13 19:26 ` DNATing back to the same network Don Hughes
2005-01-13 20:17 ` danci
2005-01-13 22:49 ` Charlie Brady
2005-02-09 8:43 Ian! D. Allen
-- strict thread matches above, loose matches on Subject: below --
2005-01-13 14:42 danci
2005-01-13 15:35 ` Charlie Brady
2005-01-13 15:56 ` Samuel Jean
2005-02-17 17:31 ` Mohammad Khan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.