Can't I do another nat rule?
On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote:
> It sounds like you're a victim of hairpin natting. Very frustrating.
> Iptables doesnt do it (that I know of.) I first encountered this on a
> PIX firewall years ago and thought it was an absurd limitation (then I
> found out my beloved linux couldn't do it either and was crushed).
> Cisco fixed it in v7 of the PIX software IIRC but iptables still can't
> do it.
>
> ------------------
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
>
>
>
>
>
> On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:
>
> > John just told me he can get to the page too.
> >> From inside the lan I am going to a browser and typing
> > www.nombyte.com. And it doesn't work?
> >
> > Nate
> >
> > On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
> >> *shrug* same here
> >>
> >> Are you trying to hit the natted address from inside the LAN that is
> >> being natted to? Hairpin NAT doesnt work in iptables...
> >>
> >> ------------------
> >> Aubrey Wells
> >> Senior Engineer
> >> Shelton | Johns Technology Group
> >> A Vyatta Ready Partner
> >> www.sheltonjohns.com
> >>
> >>
> >>
> >>
> >>
> >> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
> >>
> >>> I just connected and see the Apache 2 test page running on CentOS
> >>>
> >>> John
> >>>
> >>>
> >>>
> >>> Nathan McBride wrote:
> >>>> First off I appreciate help from everyone, this is a nice change to
> >>>> some
> >>>> mailing lists I'm used to. Unfortunately, I am still having the
> >>>> same
> >>>> problem. I'm giving out real information, probably shouldn't, but
> >>>> that's how frustrated I am. I just get an unable to connect
> >>>> error. The
> >>>> firewalls are fine I promise. I can see the page on 192.168.0.105
> >>>> from
> >>>> inside the lan, and I can see and use the webgui of the router just
> >>>> fine. Altho I did disable it of course since I want the port
> >>>> forwarded.
> >>>> In the ssh example sent to me which is below, I notice that the
> >>>> address
> >>>> are just numbers where mine have "" around them. Does this
> >>>> matter? Can
> >>>> anyone please give any suggestions?
> >>>>
> >>>> Thanks alot,
> >>>> Nate
> >>>>
> >>>> My domain is:
> >>>> www.nombyte.com
> >>>>
> >>>> The IP is:
> >>>> 71.62.193.105
> >>>>
> >>>> Full Nat is:
> >>>>
> >>>> nat {
> >>>> rule 1 {
> >>>> type: "destination"
> >>>> inbound-interface: "eth0"
> >>>> protocols: "tcp"
> >>>> source {
> >>>> network: "0.0.0.0/0"
> >>>> }
> >>>> destination {
> >>>> address: "71.62.193.105"
> >>>> port-name http
> >>>> }
> >>>> inside-address {
> >>>> address: 192.168.0.105
> >>>> }
> >>>> }
> >>>> rule 2 {
> >>>> type: "masquerade"
> >>>> outbound-interface: "eth0"
> >>>> protocols: "all"
> >>>> source {
> >>>> network: "192.168.0.0/24"
> >>>> }
> >>>> destination {
> >>>> network: "0.0.0.0/0"
> >>>> }
> >>>> }
> >>>> rule 3 {
> >>>> type: "masquerade"
> >>>> outbound-interface: "eth0"
> >>>> protocols: "all"
> >>>> source {
> >>>> network: "192.168.1.0/24"
> >>>> }
> >>>> destination {
> >>>> network: "0.0.0.0/0"
> >>>> }
> >>>> }
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
> >>>>> Here's what I use to port-forward ssh; just adjust for address
> >>>>> (where
> >>>>> destination address is the public IP) and change it to http.
> >>>>>
> >>>>> rule 2 {
> >>>>> type: "destination"
> >>>>> inbound-interface: "eth0"
> >>>>> protocols: "tcp"
> >>>>> source {
> >>>>> network: 0.0.0.0/0
> >>>>> }
> >>>>> destination {
> >>>>> address: 1.2.3.4
> >>>>> port-name ssh
> >>>>> }
> >>>>> inside-address {
> >>>>> address: 10.0.0.30
> >>>>> }
> >>>>> }
> >>>>>
> >>>>> Best,
> >>>>> Justin
> >>>>>
> >>>>> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]>
> >>>>> wrote:
> >>>>>> Can someone please help me get this worked out?
> >>>>>> Nate
> >>>>>>
> >>>>>>
> >>>>>>> Ok these are my nat rules now, I didn't see a command to change
> >>>> the rule
> >>>>>>> numbers so i just redid them all by hand. It still doesn't
> >>>>>>> work.
> >>>>>>>
> >>>>>>> rule 1 {
> >>>>>>> type: "destination"
> >>>>>>> inbound-interface: "eth0"
> >>>>>>> protocols: "tcp"
> >>>>>>> destination {
> >>>>>>> address: "71.62.193.105"
> >>>>>>> port-name http
> >>>>>>> }
> >>>>>>> inside-address {
> >>>>>>> address: 192.168.0.105
> >>>>>>> }
> >>>>>>> }
> >>>>>>> rule 2 {
> >>>>>>> type: "masquerade"
> >>>>>>> outbound-interface: "eth0"
> >>>>>>> protocols: "all"
> >>>>>>> source {
> >>>>>>> network: "192.168.0.0/24"
> >>>>>>> }
> >>>>>>> destination {
> >>>>>>> network: "0.0.0.0/0"
> >>>>>>> }
> >>>>>>> }
> >>>>>>> rule 3 {
> >>>>>>> type: "masquerade"
> >>>>>>> outbound-interface: "eth0"
> >>>>>>> protocols: "all"
> >>>>>>> source {
> >>>>>>> network: "192.168.1.0/24"
> >>>>>>> }
> >>>>>>> destination {
> >>>>>>> network: "0.0.0.0/0"
> >>>>>>> }
> >>>>>>> }
> >>>>>>>
> >>>>>>> Nate
> >>>>>>>
> >>>>>>> On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
> >>>>>>>> Hi Nate,
> >>>>>>>>
> >>>>>>>> The "inside-address" is the internal (private) IP address of
> >>>> your Web server, which in your case is 192.168.0.105. The
> >>>> "destination
> >>>> address" should actually be the public IP address that outside
> >>>> clients
> >>>> will use to access your server, so usually this is the public IP
> >>>> address
> >>>> of your router.
> >>>>>>>> An-Cheng
> >>>>>>>>
> >>>>>>>> Nathan McBride wrote:
> >>>>>>>>> I went and looked at the old docs. I thought I set them up
> >>>> correctly
> >>>>>>>>> but aparently I didn't. I'll im trying to do is to get people
> >>>> on the
> >>>>>>>>> internet to view the website on my comp (192.168.0.105). The
> >>>> only
> >>>>>>>>> difference that i noticed when I tried to commit the example
> >>>> in the old
> >>>>>>>>> docs was that vc3 requires an 'inside-address'. Could someone
> >>>> please
> >>>>>>>>> help me correct this to get it working?
> >>>>>>>>>
> >>>>>>>>> rule 3 {
> >>>>>>>>> type: "destination"
> >>>>>>>>> inbound-interface: "eth0"
> >>>>>>>>> protocols: "tcp"
> >>>>>>>>> destination {
> >>>>>>>>> address: "192.168.0.105"
> >>>>>>>>> port-name http
> >>>>>>>>> }
> >>>>>>>>> inside-address {
> >>>>>>>>> address: 192.168.0.105 <-- didn't know what to put
> >>>> here
> >>>>>>>>> exactly...
> >>>>>>>>> }
> >>>>>>>>> }
> >>>>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Vyatta-users mailing list
> >>>>>>> Vyatta-users@mailman.vyatta.com
> >>>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >>>>>> _______________________________________________
> >>>>>> Vyatta-users mailing list
> >>>>>> Vyatta-users@mailman.vyatta.com
> >>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >>>>>>
> >>>>
> >>>> _______________________________________________
> >>>> Vyatta-users mailing list
> >>>> Vyatta-users@mailman.vyatta.com
> >>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >>>>
> >>>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Vyatta-users mailing list
> >>> Vyatta-users@mailman.vyatta.com
> >>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >>
> >
> > _______________________________________________
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
