Re: Double NAT port forward

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@vger.kernel.org
Subject: Re: Double NAT port forward
Date: Fri, 15 Jan 2010 12:44:43 +0100	[thread overview]
Message-ID: <4B50552B.5090608@plouf.fr.eu.org> (raw)
In-Reply-To: <6bc5618e1001141233k5cd1513fnbd5a41902aff12c6@mail.gmail.com>

Hello,

Henno Täht a écrit :
> 
> Is it possible to make double nat port forward?

Sure it is.

> SOME INTERNET MACHINE
> 1.1.1.1 (real public IP)
> 
>        V
> 
> OUTER_GW
> eth0: 2.2.2.228/27 (real public IP)
> eth1: 192.168.1.1/24
> 
>         V
> 
> INNER_GW
> eth0: 192.168.1.2/24
> eth1: 2.2.2.225/27 (fake public IP)
> 
>         V
> 
> HOST
> eth0: 2.2.2.249/27 (fake public IP)

Consider using addresses in the special range 192.0.2.0/24 reserved for
examples and documentation instead of random addresses that are not
allocated to you. See RFC 3330.

> While OUTER_GW forwards port 222 to INNER_GW just fine, INNER_GW sees
> the SYN packet the OUTER_GW has passed it but doesn't forward it to
> HOST:
> 
> root@pm-inner-gw:~# tshark -Nm -i eth0 host ! 192.168.1.1
> Running as user "root" and group "root". This could be dangerous.
> Capturing on eth0
>   0.000000 1.1.1.1 -> 192.168.1.2  TCP 1271 > 222 [SYN] Seq=0
> Win=65535 Len=0 MSS=1460
>   0.439790  192.168.1.2 -> 1.1.1.1 ICMP Destination unreachable (Host
> unreachable)

ICMP host unreachable usually indicates an ARP failure for the next hop
address. What happens on INNER_GW's eth1 and HOST's eth0 (IP or ARP) ?

> Is there some sort of "security feature" in the kernel that doesn't
> allow packets to be forwarded from IANA's "private IP" to a "public
> IP"?

Not AFAIK.

next prev parent reply	other threads:[~2010-01-15 11:44 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-01-14 20:33 Double NAT port forward Henno Täht
2010-01-15 11:44 ` Pascal Hambourg [this message]
2010-01-15 12:06   ` Henno Täht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B50552B.5090608@plouf.fr.eu.org \
    --to=pascal.mail@plouf.fr.eu.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.