Public IP to Private IP

Public IP to Private IP

[Scott Mayo]

I am having some troubles getting my public IPs routed to my private IPs.

Here is an example.
Private IP of the main server with my IPTables:  192.168.0.1
Public IP of the main server:  1.1.1.1
I also have 1.1.1.2 and 1.1.1.3 as public IPs attached to the public nic.
Domain name example.org is pointed to 1.1.1.2

I am trying to get the following public IPs to Private IPs:
1.1.1.2 -> 192.168.0.2
1.1.1.3 -> 192.168.0.3

If I am outside my network and go to example.org, it seems to work fine.
If I am inside my network and go to 192.168.0.2 then it works fine.
If I go to example.org from inside my network then it goes back to
192.168.0.1 instead of 192.168.0.2

Maybe this does not have to do with IPTables even since it works with
an IP, but I thought I would ask here.  I do not have an internal DNS
server.

Here are the rules that I have:

IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
--to-destination 192.168.0.2
IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -j SNAT --to-destination 1.1.1.2

Any suggestions would be appreciated.
Thanks.

-- 
Scott Mayo
Mayo's Pioneer Seeds   PH: 573-568-3235   CE: 573-614-2138

Re: Public IP to Private IP

[Robby Workman]

On Mon, 27 Jan 2014 13:22:17 -0600
Scott Mayo <scotgmayo@gmail.com> wrote:

> I am having some troubles getting my public IPs routed to my private
> IPs.
> 
> Here is an example.
> Private IP of the main server with my IPTables:  192.168.0.1
> Public IP of the main server:  1.1.1.1
> I also have 1.1.1.2 and 1.1.1.3 as public IPs attached to the public
> nic. Domain name example.org is pointed to 1.1.1.2
> 
> I am trying to get the following public IPs to Private IPs:
> 1.1.1.2 -> 192.168.0.2
> 1.1.1.3 -> 192.168.0.3
> 
> If I am outside my network and go to example.org, it seems to work
> fine. If I am inside my network and go to 192.168.0.2 then it works
> fine. If I go to example.org from inside my network then it goes back
> to 192.168.0.1 instead of 192.168.0.2
> 
> Maybe this does not have to do with IPTables even since it works with
> an IP, but I thought I would ask here.  I do not have an internal DNS
> server.
> 
> Here are the rules that I have:
> 
> IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
> --to-destination 192.168.0.2
> IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -j SNAT
> --to-destination 1.1.1.2
> 
> Any suggestions would be appreciated.


The best solution (IMHO) is to handle it internally with DNS, i.e.
have the names you expect to see on those public ip addresses resolve
to the internal addresses from inside the local network.

-RW

Re: Public IP to Private IP

[Mike Wright]

01/27/2014 11:22 AM, Scott Mayo wrote:
> I am having some troubles getting my public IPs routed to my private IPs.
>
> Here is an example.
> Private IP of the main server with my IPTables:  192.168.0.1
> Public IP of the main server:  1.1.1.1
> I also have 1.1.1.2 and 1.1.1.3 as public IPs attached to the public nic.
> Domain name example.org is pointed to 1.1.1.2
>
> I am trying to get the following public IPs to Private IPs:
> 1.1.1.2 -> 192.168.0.2
> 1.1.1.3 -> 192.168.0.3
>
> If I am outside my network and go to example.org, it seems to work fine.
> If I am inside my network and go to 192.168.0.2 then it works fine.
> If I go to example.org from inside my network then it goes back to
> 192.168.0.1 instead of 192.168.0.2
>
> Maybe this does not have to do with IPTables even since it works with
> an IP, but I thought I would ask here.  I do not have an internal DNS
> server.
>
> Here are the rules that I have:
>
> IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
> --to-destination 192.168.0.2
> IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -j SNAT --to-destination 1.1.1.2
>

Since you're not running internal DNS try this:

/etc/hosts
   order hosts,bind
   192.168.0.2 example.org

RE: Public IP to Private IP

[Bob Reiber]

My guess is that example.org resolves to your public ip address. Add example.org to your hosts file. This will resolve example.org to the local ip address when you are inside the firewall. 

Bob Reiber
BK Sales and Service
Tel: (650) 376-1122

-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Scott Mayo
Sent: Monday, January 27, 2014 11:22 AM
To: netfilter@vger.kernel.org
Subject: Public IP to Private IP

I am having some troubles getting my public IPs routed to my private IPs.

Here is an example.
Private IP of the main server with my IPTables:  192.168.0.1 Public IP of the main server:  1.1.1.1 I also have 1.1.1.2 and 1.1.1.3 as public IPs attached to the public nic.
Domain name example.org is pointed to 1.1.1.2

I am trying to get the following public IPs to Private IPs:
1.1.1.2 -> 192.168.0.2
1.1.1.3 -> 192.168.0.3

If I am outside my network and go to example.org, it seems to work fine.
If I am inside my network and go to 192.168.0.2 then it works fine.
If I go to example.org from inside my network then it goes back to
192.168.0.1 instead of 192.168.0.2

Maybe this does not have to do with IPTables even since it works with an IP, but I thought I would ask here.  I do not have an internal DNS server.

Here are the rules that I have:

IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT --to-destination 192.168.0.2 IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -j SNAT --to-destination 1.1.1.2

Any suggestions would be appreciated.
Thanks.

--
Scott Mayo
Mayo's Pioneer Seeds   PH: 573-568-3235   CE: 573-614-2138
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Public IP to Private IP

[Ray Soucy]

The term you're looking for is "NAT reflection" or "hairpin NAT".

If you're not running split DNS, then trying to reach a system via its
"outside" IP from an internal system will present a problem because
the source IP of the request is seen as on-link by the server, so the
server responds directly from an unexpected source IP and the
requesting host drops the request.

You can get around this issue by NATing the return traffic when its to
and from the internal network.

Assuming that your inside interface is eth1, and your inside IP
network is 192.168.0.0/23:

iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 -j
MASQUERADE

Split DNS, however, is a better approach, if you can do it (using
views in BIND).




On Mon, Jan 27, 2014 at 2:22 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
> I am having some troubles getting my public IPs routed to my private IPs.
>
> Here is an example.
> Private IP of the main server with my IPTables:  192.168.0.1
> Public IP of the main server:  1.1.1.1
> I also have 1.1.1.2 and 1.1.1.3 as public IPs attached to the public nic.
> Domain name example.org is pointed to 1.1.1.2
>
> I am trying to get the following public IPs to Private IPs:
> 1.1.1.2 -> 192.168.0.2
> 1.1.1.3 -> 192.168.0.3
>
> If I am outside my network and go to example.org, it seems to work fine.
> If I am inside my network and go to 192.168.0.2 then it works fine.
> If I go to example.org from inside my network then it goes back to
> 192.168.0.1 instead of 192.168.0.2
>
> Maybe this does not have to do with IPTables even since it works with
> an IP, but I thought I would ask here.  I do not have an internal DNS
> server.
>
> Here are the rules that I have:
>
> IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
> --to-destination 192.168.0.2
> IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -j SNAT --to-destination 1.1.1.2
>
> Any suggestions would be appreciated.
> Thanks.
>
> --
> Scott Mayo
> Mayo's Pioneer Seeds   PH: 573-568-3235   CE: 573-614-2138
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network
www.maineren.net

Re: Public IP to Private IP

[Scott Mayo]

On Mon, Jan 27, 2014 at 2:48 PM, Ray Soucy <rps@maine.edu> wrote:
> The term you're looking for is "NAT reflection" or "hairpin NAT".
>
> If you're not running split DNS, then trying to reach a system via its
> "outside" IP from an internal system will present a problem because
> the source IP of the request is seen as on-link by the server, so the
> server responds directly from an unexpected source IP and the
> requesting host drops the request.
>
> You can get around this issue by NATing the return traffic when its to
> and from the internal network.
>
> Assuming that your inside interface is eth1, and your inside IP
> network is 192.168.0.0/23:
>
> iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 -j
> MASQUERADE
>

That did not seem to work either.  Getting the same results.  Thanks.


> Split DNS, however, is a better approach, if you can do it (using
> views in BIND).


Yes, if I can get time to setup a Bind server. I just need some more time.

-- 
Scott Mayo
Mayo's Pioneer Seeds   PH: 573-568-3235   CE: 573-614-2138

Re: Public IP to Private IP

[Ray Soucy]

That seems very strange,

Is the server hosted on the same system as the NAT box?
Did you flush the conntrack table or wait for timeouts after making the change?

On Mon, Jan 27, 2014 at 4:01 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
> On Mon, Jan 27, 2014 at 2:48 PM, Ray Soucy <rps@maine.edu> wrote:
>> The term you're looking for is "NAT reflection" or "hairpin NAT".
>>
>> If you're not running split DNS, then trying to reach a system via its
>> "outside" IP from an internal system will present a problem because
>> the source IP of the request is seen as on-link by the server, so the
>> server responds directly from an unexpected source IP and the
>> requesting host drops the request.
>>
>> You can get around this issue by NATing the return traffic when its to
>> and from the internal network.
>>
>> Assuming that your inside interface is eth1, and your inside IP
>> network is 192.168.0.0/23:
>>
>> iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 -j
>> MASQUERADE
>>
>
> That did not seem to work either.  Getting the same results.  Thanks.
>
>
>> Split DNS, however, is a better approach, if you can do it (using
>> views in BIND).
>
>
> Yes, if I can get time to setup a Bind server. I just need some more time.
>
> --
> Scott Mayo
> Mayo's Pioneer Seeds   PH: 573-568-3235   CE: 573-614-2138
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network
www.maineren.net

Re: Public IP to Private IP

[Rob Sterenborg (lists)]

On 01/27/2014 08:22 PM, Scott Mayo wrote:
> I am having some troubles getting my public IPs routed to my private IPs.
>
> Here is an example.
> Private IP of the main server with my IPTables:  192.168.0.1
> Public IP of the main server:  1.1.1.1
> I also have 1.1.1.2 and 1.1.1.3 as public IPs attached to the public nic.
> Domain name example.org is pointed to 1.1.1.2
>
> I am trying to get the following public IPs to Private IPs:
> 1.1.1.2 -> 192.168.0.2
> 1.1.1.3 -> 192.168.0.3
>
> If I am outside my network and go to example.org, it seems to work fine.
> If I am inside my network and go to 192.168.0.2 then it works fine.
> If I go to example.org from inside my network then it goes back to
> 192.168.0.1 instead of 192.168.0.2
>
> Maybe this does not have to do with IPTables even since it works with
> an IP, but I thought I would ask here.  I do not have an internal DNS
> server.
>
> Here are the rules that I have:
>
> IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
> --to-destination 192.168.0.2
> IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -j SNAT --to-destination 1.1.1.2
>
> Any suggestions would be appreciated.
> Thanks.

As already explained, NAT-ing packets from your LAN back into your LAN 
via the public IP (and receiving the answer packets) is a pain.

If you don't have split-DNS and don't want to install DNS, you might 
want to look into a reverse proxy (I have good experiences with Nginx).


--
Rob

Re: Public IP to Private IP

[Pascal Hambourg]

Hello,

Scott Mayo a écrit :
> On Mon, Jan 27, 2014 at 2:48 PM, Ray Soucy <rps@maine.edu> wrote:
>> The term you're looking for is "NAT reflection" or "hairpin NAT".
>>
>> If you're not running split DNS, then trying to reach a system via its
>> "outside" IP from an internal system will present a problem because
>> the source IP of the request is seen as on-link by the server, so the
>> server responds directly from an unexpected source IP and the
>> requesting host drops the request.
>>
>> You can get around this issue by NATing the return traffic when its to
>> and from the internal network.
>>
>> Assuming that your inside interface is eth1, and your inside IP
>> network is 192.168.0.0/23:
>>
>> iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 -j
>> MASQUERADE

Instead of masquerading I would suggest to 1:1 map the source addresses
to a different (unused) private subnet, so that the source address seen
by the final server can be mapped back to the real source address.

E.g. :
iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 \
  -j NETMAP --to 192.168.8.0/23

> That did not seem to work either.  Getting the same results.  Thanks.

Also make sure that "reflected" packets from eth1 to eth1 (replace with
the real internal interface name) in the FORWARD chain are ACCEPTed.

Re: Public IP to Private IP

[Mauricio Tavares]

On Sun, Feb 2, 2014 at 10:45 AM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> Hello,
>
> Scott Mayo a écrit :
>> On Mon, Jan 27, 2014 at 2:48 PM, Ray Soucy <rps@maine.edu> wrote:
>>> The term you're looking for is "NAT reflection" or "hairpin NAT".
>>>
>>> If you're not running split DNS, then trying to reach a system via its
>>> "outside" IP from an internal system will present a problem because
>>> the source IP of the request is seen as on-link by the server, so the
>>> server responds directly from an unexpected source IP and the
>>> requesting host drops the request.
>>>
>>> You can get around this issue by NATing the return traffic when its to
>>> and from the internal network.
>>>
>>> Assuming that your inside interface is eth1, and your inside IP
>>> network is 192.168.0.0/23:
>>>
>>> iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 -j
>>> MASQUERADE
>
> Instead of masquerading I would suggest to 1:1 map the source addresses
> to a different (unused) private subnet, so that the source address seen
> by the final server can be mapped back to the real source address.
>
> E.g. :
> iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 \
>   -j NETMAP --to 192.168.8.0/23
>

      Assuming 0.1 is the gateway, how about adding to its firewall
rules something like

iptables -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/24 -j
SNAT --to-source 192.168.0.1

(Adjust as needed)

>> That did not seem to work either.  Getting the same results.  Thanks.
>
> Also make sure that "reflected" packets from eth1 to eth1 (replace with
> the real internal interface name) in the FORWARD chain are ACCEPTed.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Public IP to Private IP

[Pascal Hambourg]

Mauricio Tavares a écrit :
> On Sun, Feb 2, 2014 at 10:45 AM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
>>>>
>>>> Assuming that your inside interface is eth1, and your inside IP
>>>> network is 192.168.0.0/23:
>>>>
>>>> iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 -j
>>>> MASQUERADE
>> Instead of masquerading I would suggest to 1:1 map the source addresses
>> to a different (unused) private subnet, so that the source address seen
>> by the final server can be mapped back to the real source address.
>>
>> E.g. :
>> iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 \
>>   -j NETMAP --to 192.168.8.0/23
> 
>       Assuming 0.1 is the gateway, how about adding to its firewall
> rules something like
> 
> iptables -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/24 -j
> SNAT --to-source 192.168.0.1

The result (N:1 mapping) would be the same as the above MASQUERADE rule
and hide the real source address from the final server.

Re: Public IP to Private IP

[Scott Mayo]

On Mon, Jan 27, 2014 at 1:22 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
> I am having some troubles getting my public IPs routed to my private IPs.
>
> Here is an example.
> Private IP of the main server with my IPTables:  192.168.0.1
> Public IP of the main server:  1.1.1.1
> I also have 1.1.1.2 and 1.1.1.3 as public IPs attached to the public nic.
> Domain name example.org is pointed to 1.1.1.2
>
> I am trying to get the following public IPs to Private IPs:
> 1.1.1.2 -> 192.168.0.2
> 1.1.1.3 -> 192.168.0.3
>
> If I am outside my network and go to example.org, it seems to work fine.
> If I am inside my network and go to 192.168.0.2 then it works fine.
> If I go to example.org from inside my network then it goes back to
> 192.168.0.1 instead of 192.168.0.2
>
> Maybe this does not have to do with IPTables even since it works with
> an IP, but I thought I would ask here.  I do not have an internal DNS
> server.
>
> Here are the rules that I have:
>
> IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
> --to-destination 192.168.0.2
> IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -j SNAT --to-destination 1.1.1.2
>
> Any suggestions would be appreciated.
> Thanks.


I ended up finishing my setup on my new filter server.  I had not
messed with this problem and wanted to wait until I got it into place.
 I am back to it now.  I appreciate the suggestions so far.  I am
getting ready to setup an internal DNS server, but until I do, I would
like to get the IPTABLES working.

Here are the IPTABLE rules that I have in place:

$IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
--to-destination 192.168.0.2
$IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/16 -j
SNAT --to-source 1.1.1.2
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1

Here is quick breakdown
ifcfg-eth0 = 1.1.1.1  #public IP of the main Squid/IPTABLES box
ifcfg-eth0:0 = 1.1.1.2   #Virtual IP which I want to forward on to the
other webserver box: example.org
example.org resolves to 1.1.1.2 fine
ifcfg-eth1 = 192.168.1.1  #private IP of the main Squid/IPTABLES box
192.168.1.2  #Is the private IP that I want forward on to the other
webserver box: example.org

My IPTABLES are on my Squid box.  I have just played some more and
found that if I take the proxy settings out of my browser and type in
example.org in the URL, it works fine.

If I leave the proxy settings in and type in example.org then it comes
back to the main Squid box address of 192.168.1.1.

Any idea why that would matter?  I do drop port 80 and port 3128 so
that the proxy cannot be gone around.  For testing purposes though, I
took those two drops out and it is still doing it.

I'll get a copy of my IPTABLE rules and post also.  Just thought I
would post this first and see if someone had an idea of what I might
be looking for.

-- 
Scott Mayo
Mayo's Pioneer Seeds

Re: Public IP to Private IP

[Scott Mayo]

On Mon, Feb 24, 2014 at 12:22 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
> On Mon, Jan 27, 2014 at 1:22 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
>> I am having some troubles getting my public IPs routed to my private IPs.
>>
>> Here is an example.
>> Private IP of the main server with my IPTables:  192.168.0.1
>> Public IP of the main server:  1.1.1.1
>> I also have 1.1.1.2 and 1.1.1.3 as public IPs attached to the public nic.
>> Domain name example.org is pointed to 1.1.1.2
>>
>> I am trying to get the following public IPs to Private IPs:
>> 1.1.1.2 -> 192.168.0.2
>> 1.1.1.3 -> 192.168.0.3
>>
>> If I am outside my network and go to example.org, it seems to work fine.
>> If I am inside my network and go to 192.168.0.2 then it works fine.
>> If I go to example.org from inside my network then it goes back to
>> 192.168.0.1 instead of 192.168.0.2
>>
>> Maybe this does not have to do with IPTables even since it works with
>> an IP, but I thought I would ask here.  I do not have an internal DNS
>> server.
>>
>> Here are the rules that I have:
>>
>> IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
>> --to-destination 192.168.0.2
>> IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -j SNAT --to-destination 1.1.1.2
>>
>> Any suggestions would be appreciated.
>> Thanks.
>
>
> I ended up finishing my setup on my new filter server.  I had not
> messed with this problem and wanted to wait until I got it into place.
>  I am back to it now.  I appreciate the suggestions so far.  I am
> getting ready to setup an internal DNS server, but until I do, I would
> like to get the IPTABLES working.
>
> Here are the IPTABLE rules that I have in place:
>
> $IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
> --to-destination 192.168.0.2
> $IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/16 -j
> SNAT --to-source 1.1.1.2
> $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1
>
> Here is quick breakdown
> ifcfg-eth0 = 1.1.1.1  #public IP of the main Squid/IPTABLES box
> ifcfg-eth0:0 = 1.1.1.2   #Virtual IP which I want to forward on to the
> other webserver box: example.org
> example.org resolves to 1.1.1.2 fine
> ifcfg-eth1 = 192.168.1.1  #private IP of the main Squid/IPTABLES box
> 192.168.1.2  #Is the private IP that I want forward on to the other
> webserver box: example.org
>
> My IPTABLES are on my Squid box.  I have just played some more and
> found that if I take the proxy settings out of my browser and type in
> example.org in the URL, it works fine.
>
> If I leave the proxy settings in and type in example.org then it comes
> back to the main Squid box address of 192.168.1.1.
>
> Any idea why that would matter?  I do drop port 80 and port 3128 so
> that the proxy cannot be gone around.  For testing purposes though, I
> took those two drops out and it is still doing it.
>
> I'll get a copy of my IPTABLE rules and post also.  Just thought I
> would post this first and see if someone had an idea of what I might
> be looking for.


It just dawned on me that this may be pulling from the Squid cache so
I'll wait until after school and clear that.  Maybe my IP rules are
correct now since it is working without going through the proxy.

Thanks.

-- 
Scott Mayo
Mayo's Pioneer Seeds

Re: Public IP to Private IP

[Scott Mayo]

On Mon, Feb 24, 2014 at 1:13 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
> On Mon, Feb 24, 2014 at 12:22 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
>> On Mon, Jan 27, 2014 at 1:22 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
>>> I am having some troubles getting my public IPs routed to my private IPs.
>>>
>>> Here is an example.
>>> Private IP of the main server with my IPTables:  192.168.0.1
>>> Public IP of the main server:  1.1.1.1
>>> I also have 1.1.1.2 and 1.1.1.3 as public IPs attached to the public nic.
>>> Domain name example.org is pointed to 1.1.1.2
>>>
>>> I am trying to get the following public IPs to Private IPs:
>>> 1.1.1.2 -> 192.168.0.2
>>> 1.1.1.3 -> 192.168.0.3
>>>
>>> If I am outside my network and go to example.org, it seems to work fine.
>>> If I am inside my network and go to 192.168.0.2 then it works fine.
>>> If I go to example.org from inside my network then it goes back to
>>> 192.168.0.1 instead of 192.168.0.2
>>>
>>> Maybe this does not have to do with IPTables even since it works with
>>> an IP, but I thought I would ask here.  I do not have an internal DNS
>>> server.
>>>
>>> Here are the rules that I have:
>>>
>>> IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
>>> --to-destination 192.168.0.2
>>> IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -j SNAT --to-destination 1.1.1.2
>>>
>>> Any suggestions would be appreciated.
>>> Thanks.
>>
>>
>> I ended up finishing my setup on my new filter server.  I had not
>> messed with this problem and wanted to wait until I got it into place.
>>  I am back to it now.  I appreciate the suggestions so far.  I am
>> getting ready to setup an internal DNS server, but until I do, I would
>> like to get the IPTABLES working.
>>
>> Here are the IPTABLE rules that I have in place:
>>
>> $IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
>> --to-destination 192.168.0.2
>> $IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/16 -j
>> SNAT --to-source 1.1.1.2
>> $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1
>>
>> Here is quick breakdown
>> ifcfg-eth0 = 1.1.1.1  #public IP of the main Squid/IPTABLES box
>> ifcfg-eth0:0 = 1.1.1.2   #Virtual IP which I want to forward on to the
>> other webserver box: example.org
>> example.org resolves to 1.1.1.2 fine
>> ifcfg-eth1 = 192.168.1.1  #private IP of the main Squid/IPTABLES box
>> 192.168.1.2  #Is the private IP that I want forward on to the other
>> webserver box: example.org
>>
>> My IPTABLES are on my Squid box.  I have just played some more and
>> found that if I take the proxy settings out of my browser and type in
>> example.org in the URL, it works fine.
>>
>> If I leave the proxy settings in and type in example.org then it comes
>> back to the main Squid box address of 192.168.1.1.
>>
>> Any idea why that would matter?  I do drop port 80 and port 3128 so
>> that the proxy cannot be gone around.  For testing purposes though, I
>> took those two drops out and it is still doing it.
>>
>> I'll get a copy of my IPTABLE rules and post also.  Just thought I
>> would post this first and see if someone had an idea of what I might
>> be looking for.
>
>
> It just dawned on me that this may be pulling from the Squid cache so
> I'll wait until after school and clear that.  Maybe my IP rules are
> correct now since it is working without going through the proxy.


I just wiped my Squid cache and that was not it.  I have even put in a
very, very simple set of rules that I will post below.  example.org is
pointed to the 1.1.1.2 IP address.

If I go to example.org (private = 192.168.0.2/public = 1.1.1.2)
without the proxy settings in the browser to point to my Squid box
(192.168.0.1) then it resolves fine.

If I go to example.org with the proxy settings in my browser to point
to my Squid box then it takes me to the webserver on 192.168.0.1
(which is my squid box and has the IPTABLES on it).

I guess I am not understanding why it would make any difference if I
am directed through the proxy or not since everything goes through
this box one way or another.  Here is the simple IPTABLES that I used
to test with.

Thanks for any info.

#!/bin/sh
EXT_IP="1.1.1.0/24"
EXT_IFACE="eth0"
EXT_BROADCAST="1.1.1.255"

INT_IP="192.168.0.1"
INT_IP_RANGE="192.168.0.0/16"
INT_IFACE="eth1"

LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="/sbin/iptables"

/sbin/depmod -a

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#Non required modules
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

echo "1" > /proc/sys/net/ipv4/ip_forward

#Create default policies and FLUSH the chains
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

#Allow the local network

$IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
--to-destination 192.168.0.2
$IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/16 -j
SNAT --to-source 1.1.1.2
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1


-- 
Scott Mayo
Mayo's Pioneer Seeds

Re: Public IP to Private IP

[Scott Mayo]

On Mon, Feb 24, 2014 at 3:56 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
> On Mon, Feb 24, 2014 at 1:13 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
>> On Mon, Feb 24, 2014 at 12:22 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
>>> On Mon, Jan 27, 2014 at 1:22 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
>>>> I am having some troubles getting my public IPs routed to my private IPs.
>>>>
>>>> Here is an example.
>>>> Private IP of the main server with my IPTables:  192.168.0.1
>>>> Public IP of the main server:  1.1.1.1
>>>> I also have 1.1.1.2 and 1.1.1.3 as public IPs attached to the public nic.
>>>> Domain name example.org is pointed to 1.1.1.2
>>>>
>>>> I am trying to get the following public IPs to Private IPs:
>>>> 1.1.1.2 -> 192.168.0.2
>>>> 1.1.1.3 -> 192.168.0.3
>>>>
>>>> If I am outside my network and go to example.org, it seems to work fine.
>>>> If I am inside my network and go to 192.168.0.2 then it works fine.
>>>> If I go to example.org from inside my network then it goes back to
>>>> 192.168.0.1 instead of 192.168.0.2
>>>>
>>>> Maybe this does not have to do with IPTables even since it works with
>>>> an IP, but I thought I would ask here.  I do not have an internal DNS
>>>> server.
>>>>
>>>> Here are the rules that I have:
>>>>
>>>> IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
>>>> --to-destination 192.168.0.2
>>>> IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -j SNAT --to-destination 1.1.1.2
>>>>
>>>> Any suggestions would be appreciated.
>>>> Thanks.
>>>
>>>
>>> I ended up finishing my setup on my new filter server.  I had not
>>> messed with this problem and wanted to wait until I got it into place.
>>>  I am back to it now.  I appreciate the suggestions so far.  I am
>>> getting ready to setup an internal DNS server, but until I do, I would
>>> like to get the IPTABLES working.
>>>
>>> Here are the IPTABLE rules that I have in place:
>>>
>>> $IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
>>> --to-destination 192.168.0.2
>>> $IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/16 -j
>>> SNAT --to-source 1.1.1.2
>>> $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1
>>>
>>> Here is quick breakdown
>>> ifcfg-eth0 = 1.1.1.1  #public IP of the main Squid/IPTABLES box
>>> ifcfg-eth0:0 = 1.1.1.2   #Virtual IP which I want to forward on to the
>>> other webserver box: example.org
>>> example.org resolves to 1.1.1.2 fine
>>> ifcfg-eth1 = 192.168.1.1  #private IP of the main Squid/IPTABLES box
>>> 192.168.1.2  #Is the private IP that I want forward on to the other
>>> webserver box: example.org
>>>
>>> My IPTABLES are on my Squid box.  I have just played some more and
>>> found that if I take the proxy settings out of my browser and type in
>>> example.org in the URL, it works fine.
>>>
>>> If I leave the proxy settings in and type in example.org then it comes
>>> back to the main Squid box address of 192.168.1.1.
>>>
>>> Any idea why that would matter?  I do drop port 80 and port 3128 so
>>> that the proxy cannot be gone around.  For testing purposes though, I
>>> took those two drops out and it is still doing it.
>>>
>>> I'll get a copy of my IPTABLE rules and post also.  Just thought I
>>> would post this first and see if someone had an idea of what I might
>>> be looking for.
>>
>>
>> It just dawned on me that this may be pulling from the Squid cache so
>> I'll wait until after school and clear that.  Maybe my IP rules are
>> correct now since it is working without going through the proxy.
>
>
> I just wiped my Squid cache and that was not it.  I have even put in a
> very, very simple set of rules that I will post below.  example.org is
> pointed to the 1.1.1.2 IP address.
>
> If I go to example.org (private = 192.168.0.2/public = 1.1.1.2)
> without the proxy settings in the browser to point to my Squid box
> (192.168.0.1) then it resolves fine.
>
> If I go to example.org with the proxy settings in my browser to point
> to my Squid box then it takes me to the webserver on 192.168.0.1
> (which is my squid box and has the IPTABLES on it).
>
> I guess I am not understanding why it would make any difference if I
> am directed through the proxy or not since everything goes through
> this box one way or another.  Here is the simple IPTABLES that I used
> to test with.
>
> Thanks for any info.
>
> #!/bin/sh
> EXT_IP="1.1.1.0/24"
> EXT_IFACE="eth0"
> EXT_BROADCAST="1.1.1.255"
>
> INT_IP="192.168.0.1"
> INT_IP_RANGE="192.168.0.0/16"
> INT_IFACE="eth1"
>
> LO_IFACE="lo"
> LO_IP="127.0.0.1"
>
> IPTABLES="/sbin/iptables"
>
> /sbin/depmod -a
>
> /sbin/modprobe ip_tables
> /sbin/modprobe ip_conntrack
> /sbin/modprobe iptable_filter
> /sbin/modprobe iptable_mangle
> /sbin/modprobe iptable_nat
> /sbin/modprobe ipt_LOG
> /sbin/modprobe ipt_limit
> /sbin/modprobe ipt_state
>
> #Non required modules
> /sbin/modprobe ipt_owner
> /sbin/modprobe ipt_REJECT
> #/sbin/modprobe ipt_MASQUERADE
> #/sbin/modprobe ip_conntrack_ftp
> #/sbin/modprobe ip_conntrack_irc
> #/sbin/modprobe ip_nat_ftp
> #/sbin/modprobe ip_nat_irc
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> #Create default policies and FLUSH the chains
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -F FORWARD
>
> $IPTABLES -F
> $IPTABLES -t nat -F
> $IPTABLES -t mangle -F
>
> #Allow the local network
>
> $IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
> --to-destination 192.168.0.2
> $IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/16 -j
> SNAT --to-source 1.1.1.2
> $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1
>

I am not sure if this thinking is correct or not, but here is what I
did.  I got to looking at:
$IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/16 -j
SNAT --to-source 1.1.1.2

Since the browsers are pointed to the proxy at 192.168.0.1, I thought
that maybe once it comes from the squid box that maybe it is using the
public IP from eth0 instead of the private from eth1?  I don't know
how all that works technically so I just removed the -s 192.168.0.0/16
in case it was trying to come from the public side which is
1.1.1.0/24.

As I said, not really sure if that is correct thinking or not, but now
it works fine.


-- 
Scott Mayo
Mayo's Pioneer Seeds

Re: Public IP to Private IP

[Scott Mayo]

On Tue, Feb 25, 2014 at 12:06 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
> On Mon, Feb 24, 2014 at 3:56 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
>> On Mon, Feb 24, 2014 at 1:13 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
>>> On Mon, Feb 24, 2014 at 12:22 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
>>>> On Mon, Jan 27, 2014 at 1:22 PM, Scott Mayo <scotgmayo@gmail.com> wrote:
>>>>> I am having some troubles getting my public IPs routed to my private IPs.
>>>>>
>>>>> Here is an example.
>>>>> Private IP of the main server with my IPTables:  192.168.0.1
>>>>> Public IP of the main server:  1.1.1.1
>>>>> I also have 1.1.1.2 and 1.1.1.3 as public IPs attached to the public nic.
>>>>> Domain name example.org is pointed to 1.1.1.2
>>>>>
>>>>> I am trying to get the following public IPs to Private IPs:
>>>>> 1.1.1.2 -> 192.168.0.2
>>>>> 1.1.1.3 -> 192.168.0.3
>>>>>
>>>>> If I am outside my network and go to example.org, it seems to work fine.
>>>>> If I am inside my network and go to 192.168.0.2 then it works fine.
>>>>> If I go to example.org from inside my network then it goes back to
>>>>> 192.168.0.1 instead of 192.168.0.2
>>>>>
>>>>> Maybe this does not have to do with IPTables even since it works with
>>>>> an IP, but I thought I would ask here.  I do not have an internal DNS
>>>>> server.
>>>>>
>>>>> Here are the rules that I have:
>>>>>
>>>>> IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
>>>>> --to-destination 192.168.0.2
>>>>> IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -j SNAT --to-destination 1.1.1.2
>>>>>
>>>>> Any suggestions would be appreciated.
>>>>> Thanks.
>>>>
>>>>
>>>> I ended up finishing my setup on my new filter server.  I had not
>>>> messed with this problem and wanted to wait until I got it into place.
>>>>  I am back to it now.  I appreciate the suggestions so far.  I am
>>>> getting ready to setup an internal DNS server, but until I do, I would
>>>> like to get the IPTABLES working.
>>>>
>>>> Here are the IPTABLE rules that I have in place:
>>>>
>>>> $IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
>>>> --to-destination 192.168.0.2
>>>> $IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/16 -j
>>>> SNAT --to-source 1.1.1.2
>>>> $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1
>>>>
>>>> Here is quick breakdown
>>>> ifcfg-eth0 = 1.1.1.1  #public IP of the main Squid/IPTABLES box
>>>> ifcfg-eth0:0 = 1.1.1.2   #Virtual IP which I want to forward on to the
>>>> other webserver box: example.org
>>>> example.org resolves to 1.1.1.2 fine
>>>> ifcfg-eth1 = 192.168.1.1  #private IP of the main Squid/IPTABLES box
>>>> 192.168.1.2  #Is the private IP that I want forward on to the other
>>>> webserver box: example.org
>>>>
>>>> My IPTABLES are on my Squid box.  I have just played some more and
>>>> found that if I take the proxy settings out of my browser and type in
>>>> example.org in the URL, it works fine.
>>>>
>>>> If I leave the proxy settings in and type in example.org then it comes
>>>> back to the main Squid box address of 192.168.1.1.
>>>>
>>>> Any idea why that would matter?  I do drop port 80 and port 3128 so
>>>> that the proxy cannot be gone around.  For testing purposes though, I
>>>> took those two drops out and it is still doing it.
>>>>
>>>> I'll get a copy of my IPTABLE rules and post also.  Just thought I
>>>> would post this first and see if someone had an idea of what I might
>>>> be looking for.
>>>
>>>
>>> It just dawned on me that this may be pulling from the Squid cache so
>>> I'll wait until after school and clear that.  Maybe my IP rules are
>>> correct now since it is working without going through the proxy.
>>
>>
>> I just wiped my Squid cache and that was not it.  I have even put in a
>> very, very simple set of rules that I will post below.  example.org is
>> pointed to the 1.1.1.2 IP address.
>>
>> If I go to example.org (private = 192.168.0.2/public = 1.1.1.2)
>> without the proxy settings in the browser to point to my Squid box
>> (192.168.0.1) then it resolves fine.
>>
>> If I go to example.org with the proxy settings in my browser to point
>> to my Squid box then it takes me to the webserver on 192.168.0.1
>> (which is my squid box and has the IPTABLES on it).
>>
>> I guess I am not understanding why it would make any difference if I
>> am directed through the proxy or not since everything goes through
>> this box one way or another.  Here is the simple IPTABLES that I used
>> to test with.
>>
>> Thanks for any info.
>>
>> #!/bin/sh
>> EXT_IP="1.1.1.0/24"
>> EXT_IFACE="eth0"
>> EXT_BROADCAST="1.1.1.255"
>>
>> INT_IP="192.168.0.1"
>> INT_IP_RANGE="192.168.0.0/16"
>> INT_IFACE="eth1"
>>
>> LO_IFACE="lo"
>> LO_IP="127.0.0.1"
>>
>> IPTABLES="/sbin/iptables"
>>
>> /sbin/depmod -a
>>
>> /sbin/modprobe ip_tables
>> /sbin/modprobe ip_conntrack
>> /sbin/modprobe iptable_filter
>> /sbin/modprobe iptable_mangle
>> /sbin/modprobe iptable_nat
>> /sbin/modprobe ipt_LOG
>> /sbin/modprobe ipt_limit
>> /sbin/modprobe ipt_state
>>
>> #Non required modules
>> /sbin/modprobe ipt_owner
>> /sbin/modprobe ipt_REJECT
>> #/sbin/modprobe ipt_MASQUERADE
>> #/sbin/modprobe ip_conntrack_ftp
>> #/sbin/modprobe ip_conntrack_irc
>> #/sbin/modprobe ip_nat_ftp
>> #/sbin/modprobe ip_nat_irc
>>
>> echo "1" > /proc/sys/net/ipv4/ip_forward
>>
>> #Create default policies and FLUSH the chains
>> $IPTABLES -P INPUT ACCEPT
>> $IPTABLES -F INPUT
>> $IPTABLES -P OUTPUT ACCEPT
>> $IPTABLES -F OUTPUT
>> $IPTABLES -P FORWARD ACCEPT
>> $IPTABLES -F FORWARD
>>
>> $IPTABLES -F
>> $IPTABLES -t nat -F
>> $IPTABLES -t mangle -F
>>
>> #Allow the local network
>>
>> $IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
>> --to-destination 192.168.0.2
>> $IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/16 -j
>> SNAT --to-source 1.1.1.2
>> $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1
>>
>
> I am not sure if this thinking is correct or not, but here is what I
> did.  I got to looking at:
> $IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/16 -j
> SNAT --to-source 1.1.1.2
>
> Since the browsers are pointed to the proxy at 192.168.0.1, I thought
> that maybe once it comes from the squid box that maybe it is using the
> public IP from eth0 instead of the private from eth1?  I don't know
> how all that works technically so I just removed the -s 192.168.0.0/16
> in case it was trying to come from the public side which is
> 1.1.1.0/24.
>
> As I said, not really sure if that is correct thinking or not, but now
> it works fine.


Hmm, nevermind.  I'll retract that.  I thought it was, but it isn't.
Still going back to the firewall.  I give up.  Thanks.

-- 
Scott Mayo
Mayo's Pioneer Seeds