Re: Internal access for NAT

To: Ryan White <ryan@itamigo.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: Internal access for NAT
From: Jonathan Freiermuth <jonf@voiceweb.net>
Date: Tue, 30 Apr 2002 15:25:42 -0400
Message-id: <[🔎] 20020430192542.GF32600@gondolin.voiceweb.net>
In-reply-to: <[🔎] 007501c1f077$74da1bb0$040110ac@itamigo.com>
References: <[🔎] 007501c1f077$74da1bb0$040110ac@itamigo.com>

Consider -

172.16.2.10 sends web request to 12.34.56.78
	source IP=172.16.2.10
	  dest IP=12.34.5.6.78

firewall NAT's IP
	source IP=172.16.2.10
	  dest IP=172.16.2.2

web server responds to request
	source IP=172.16.2.2	# NAT'ed server IP
	  dest IP=172.16.2.10	# original client

client receives packet with source IP of 172.16.2.2. But the client
sent the request with a dest IP of 12.34.56.78. The client will reject
the response packet, because the client never sent a request to
172.16.2.2.

Usually the firewall has a corresponding SNAT rule to rewrite the
internal IP of the server on the way out. This is not happening because
your client is inside the firewall.

Your internal clients should use the internal IP to connect, not the
external IP.

On 2002-04-30 11:46, Ryan White wrote:
> 
> I have an external ip 12.34.56.78 NATed to 172.16.2.2 but when another
> workstation behind the firewall tries to connect to 12.34.56.78 they are
> unable to connect. Here is my little nat:
> 
> $IPTABLES -I PREROUTING -p tcp -t nat -d 12.34.56.78 --dport 80 -j DNAT --to
> 172.16.2.2:80
> $IPTABLES -I PREROUTING -p tcp -t nat -d 12.34.56.78 --dport 443 -j
> DNAT --to 172.16.2.2:443
> $IPTABLES -I FORWARD -p tcp -i eth0 -d 172.16.3.6 -m state --state NEW -j
> ACCEPT
> $IPTABLES -I FORWARD -p tcp -o eth1 -d 12.34.56.78 -m state --state NEW -j
> ACCEPT
> 
> 
> What do I have to add to get an internal machine to access 12.34.56.78
> directly?
> Some answers to obvious questions:
> Forward NAT works I can connect from the outside to 12.34.56.78:80
> Internal access to the internal ip works, I can connect to 172.16.2.2:80
> 
> Thanks for your help.
> 
> -Ryan
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
Jonathan Freiermuth                                 Lead Systems Engineer
jonf@voiceweb.net                                    VoiceWeb Corporation

=========================================================================
"Taking my gun away because I might shoot someone is like cutting my 
tongue out because I might yell `Fire!' in a crowded theater." 
-- Peter Venetoklis 
=========================================================================

Attachment: pgpPoiljHM2ZQ.pgp
Description: PGP signature

Reply to:

References:
- Internal access for NAT
  - From: "Ryan White" <ryan@itamigo.com>

Prev by Date: Internal access for NAT
Previous by thread: Internal access for NAT
Index(es):
- Date
- Thread