From: "Michal Kubeček" <mkubecek@suse.cz>
To: netfilter@vger.kernel.org
Cc: "Gáspár Lajos" <swifty@freemail.hu>
Subject: Re: What happens after PREROUTING/nat ?
Date: Thu, 08 Dec 2011 09:55:24 +0100 [thread overview]
Message-ID: <3132035.exjJScDA16@alaris> (raw)
In-Reply-To: <4EDFA920.4040804@freemail.hu>
On Wednesday 07 of December 2011 18:57EN, Gáspár Lajos wrote:
> "A": the local router/gateway/firewall connected to the Internet and
> the LAN "B": a server on the LAN
> "C": a client on the same LAN or on the other side (Internet)
>
> If "C" connects from the Internet to a service on "A" (in reality the
> service is on "B") then everything is fine because I can DNAT the
> packets to "B"...
> But if "C" is in the LAN then the packets are simply disappearing...
They are not. If you monitor the LAN traffic, you should notice that the
problem is not the redirected packet but the reply from B to C. Because
B and C are in the same segment, the response goes directly to C (not
through A) and its source address isn't translated back. Thus C sends a
packet to A but gets response with source address of B (which it can't
recognize). There are three usual solutions to this problem:
1. Don't put services accessible from outside into LAN, create a DMZ and
put them there. Then the response will go through A and it will
translate its source address.
2. Make clients from LAN use the real address of B rather than A. This
is often done via views in BIND - you translate the name differently for
clients in LAN and for the rest of the world.
3. When translating the destination address from A to B for packets
coming from LAN, translate source address as well ("masquerade"). Then
the reply will go back to A and it will translate both source and
destination address. Awful? Definitely, but this is where all those
masquerades got us...
Michal Kubeèek
next prev parent reply other threads:[~2011-12-08 8:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-07 17:57 What happens after PREROUTING/nat ? Gáspár Lajos
2011-12-07 18:23 ` SOLVED: " Gáspár Lajos
2011-12-08 8:55 ` Michal Kubeček [this message]
2011-12-08 13:58 ` Gáspár Lajos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3132035.exjJScDA16@alaris \
--to=mkubecek@suse.cz \
--cc=netfilter@vger.kernel.org \
--cc=swifty@freemail.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).