From: Pascal Hambourg <pascal@plouf.fr.eu.org>
To: Scott Mayo <scotgmayo@gmail.com>
Cc: Ray Soucy <rps@maine.edu>, netfilter list <netfilter@vger.kernel.org>
Subject: Re: Public IP to Private IP
Date: Sun, 02 Feb 2014 16:45:15 +0100 [thread overview]
Message-ID: <52EE680B.6090407@plouf.fr.eu.org> (raw)
In-Reply-To: <CAFPGR9guTGspBJ8yfOVNZAAMy44YGS+UeV+QmYNLpAJ+ZxTuxw@mail.gmail.com>
Hello,
Scott Mayo a écrit :
> On Mon, Jan 27, 2014 at 2:48 PM, Ray Soucy <rps@maine.edu> wrote:
>> The term you're looking for is "NAT reflection" or "hairpin NAT".
>>
>> If you're not running split DNS, then trying to reach a system via its
>> "outside" IP from an internal system will present a problem because
>> the source IP of the request is seen as on-link by the server, so the
>> server responds directly from an unexpected source IP and the
>> requesting host drops the request.
>>
>> You can get around this issue by NATing the return traffic when its to
>> and from the internal network.
>>
>> Assuming that your inside interface is eth1, and your inside IP
>> network is 192.168.0.0/23:
>>
>> iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 -j
>> MASQUERADE
Instead of masquerading I would suggest to 1:1 map the source addresses
to a different (unused) private subnet, so that the source address seen
by the final server can be mapped back to the real source address.
E.g. :
iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 \
-j NETMAP --to 192.168.8.0/23
> That did not seem to work either. Getting the same results. Thanks.
Also make sure that "reflected" packets from eth1 to eth1 (replace with
the real internal interface name) in the FORWARD chain are ACCEPTed.
next prev parent reply other threads:[~2014-02-02 15:45 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-27 19:22 Public IP to Private IP Scott Mayo
2014-01-27 19:36 ` Robby Workman
2014-01-27 20:08 ` Mike Wright
2014-01-27 20:46 ` Bob Reiber
2014-01-27 20:48 ` Ray Soucy
2014-01-27 21:01 ` Scott Mayo
2014-01-27 21:30 ` Ray Soucy
2014-02-02 15:45 ` Pascal Hambourg [this message]
2014-02-02 16:09 ` Mauricio Tavares
2014-02-02 16:36 ` Pascal Hambourg
2014-01-28 7:32 ` Rob Sterenborg (lists)
2014-02-24 18:22 ` Scott Mayo
2014-02-24 19:13 ` Scott Mayo
2014-02-24 21:56 ` Scott Mayo
2014-02-25 18:06 ` Scott Mayo
2014-02-25 18:12 ` Scott Mayo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52EE680B.6090407@plouf.fr.eu.org \
--to=pascal@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
--cc=rps@maine.edu \
--cc=scotgmayo@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.