Hi Todd, The inbound NAT rule is simply changing the destination IP in packets destined for 75.145.xxx.189 to 192.168.xxx.189 once these packets hit the router. Since your web server is located at 192.168.xxx.189 and it is directly connected to the router, the NAT'ted packets *should* get forwarded to your server. So, if the NAT was not working properly, your friend would most likely not get anything at all when attempting to access 75.145.xxx.189 or he would get the vyatta webgui if it is enabled. The fact that your friend is actually getting a "bad request" page from your web server tells me that the NAT is working but the web server is not configured to display a page.
I don't have experience with Apache so I'm not sure why you would get the test page and he would get the "bad request" page. Maybe someone else on the list has a better idea of why this might happen? You can run a 'tshark -i eth0' and 'tshark -i eth1' to monitor the packets that are destined for your web server. This may give you a clue as to what the issue is or at least confirm that packets are reaching and leaving the web server. If you have a lot of packets coming in and out, you can further filter the tshark output by running: tshark -i eth0 port 80 -n I hope this helps. Thanks, Robyn Todd Worden wrote: > > I sent this email… but it was a direct replay on accident… > > Ok, that is what I have got for an inbound rule... I called a friend > to have them hit my IP to see if they can get in, and they reported a > "bad request" page, whereas earlier I could definitely access the > router from the internet. They should be getting the Apache test page > I would think. On Server 1, internal, I hit my IP > http://75.145.xxx.189 and I get the Vyatta router. Outside, my friend > gets a "bad request". When I hit http://localhost I get the Apache Web > Server test page. > > Shouldn't outside traffic be being forwarded at this point to Server 1 > which is 192.168.xxx.189? Perhaps I should add a port number to the rule? > > Thanks! > > Todd > > FWIW, I figured out my problem… turns out the “Bad Request” also > showed a miniature message that it was generated by Apache, so that > told me that the request was going through and being forwarded > correctly to Server 1. Digging into my httpd.conf looking for the > problem didn’t solve it, but looking at my apache error_log did as it > said ModSecurity: Access denied with code 400. So then I opened up > mod_security and started commenting out stuff, to finally isolate a > file called modsecurity_crs_21_protocol_anomalies.conf which has > within it a rule that blocks pure IP based web requests. > > Interesting! > > Now I can see my apache test page on the outside… hurray! One step closer. > > Maybe someone will find this useful in their google searches, or > elsewhere. > > Thanks! > > Todd > > *From:* Aubrey Wells [mailto:[EMAIL PROTECTED] > *Sent:* Tuesday, December 04, 2007 11:42 AM > *To:* Todd Worden > *Cc:* vyatta-users@mailman.vyatta.com > *Subject:* Re: [Vyatta-users] NAT Inbound Configuration > > Depends on what you're trying to accomplish with your inbound rule. > Are you trying to redirect all inbound traffic to a particular host? > All inbound on a specific port to particular host? > > In any case, source refers to where the traffic comes from, so if you > want inbound from any host on the internet to get NATed, then you > would use 0.0.0.0/0 for the source network. Alternatively you could > specify a subnet, or a single host (a.b.c.d/32 for a host a.b.c.d/XX > for a subnet). The destination is the external IP _on your vyatta box_ > that you want the incoming translation to be performed on. You should > really specify this, 0.0.0.0/0 could have unintended consequences. > Then, the inside-address is the internal destination that the traffic > should be routed to. > > So, to give an example, if I wanted _all_ inbound traffic to > 75.145.xxx.189 on eth1 of my box to go to the interal ip > 192.168.XXX.189 on eth0 I'd do something like: > > rule 20 { > type: "destination" > inbound-interface: "eth1" > protocols: "all" > source { > network: "0.0.0.0/0" > } > destination { > address: "75.145.xxx.189" > } > inside-address { > address: 192.168.XXX.189" > } > } > > Hmm... Robyn just beat me to it, but I already typed all this, so I'm > sending it anyways. :-) > > * > ------------------* > > *Aubrey Wells* > > /Senior Engineer/ > > Shelton | Johns Technology Group > > A Vyatta Ready Partner > > www.sheltonjohns.com <http://www.sheltonjohns.com> > > > > On Dec 4, 2007, at 11:31 AM, Todd Worden wrote: > > > > Hi fellow Vyatta users… > > Thanks for the previous help with configuring my outbound NAT rule, I > am able to ping from Server 1 to Vyatta and to the internet… Hurray! I > struggled a bit with this, but finally realized that I had to set > Server 1’s DNS to Comcast’s DNS servers, then all resolved. > > Now I am interested in setting up an inbound NAT rule so that internet > traffic will be directed to a specified server for a specified port. > > Here is my current inbound NAT rule: > > rule 20 { > type: "destination" > inbound-interface: "eth1" > protocols: "all" > source { > network: "192.168.xxx.0/24" > } > destination { > network: "0.0.0.0/0" > } > inside-address { > address: 192.168.xxx.189 > } > } > > In my hardware, eth0 is my lan and eth1 is my wan. As it is, I can hit > my static IP 75.145.xxx.189 from outside my network and I get the > Vyatta webgui. This is not good… when I get home tonight I had better > change the default password J. The above rule however, looks > backwards, I would intuitively think the source would be 0.0.0.0/0 and > be destined for 192.168.xxx.0/24. Also, should my inside-address be > assigned to my lan eth0 IP or wan eth1 IP? > > Thanks again for all the support! > > Todd > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com <mailto:Vyatta-users@mailman.vyatta.com> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > > > __________ NOD32 2701 (20071204) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > ------------------------------------------------------------------------ > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
