Re: Debian networking - accessing public-side servers from a private network
Le 19/12/2017 à 19:22, Phil Reynolds a écrit :
I have a network with a Debian router, using iptables for NAT and
firewalling. Connected to it via a Wi-fi acces point is, among other
things, an Android phone. This is mosty relevant in that I cannot vary
its settings very much, other than by changing them on the router.
I have IPv6 on the network, and, were all the apps I need to use on the
phone enabled, there would not be a problem, however some of them
require IPv4.
I have both public and private networks - let's say they are
192.0.2.48/28 and 192.168.0.0/24.
My network includes several physical machines that act as servers, and
all such machines have addresses in both IPv4 ranges, statically
assigned. Machines not used as servers have private addresses only,
assigned by DHCP. radvd is in use to assign IPv6 addresses and DNS
servers.
It is probably most notable that one server is running Asterisk, as it
is partially herein that the problem lies. I am trying to connect
Zoiper on the Android phone to it using IAX.
The router has addresses 192.0.2.49 and 192.168.0.1. The Asterisk box
has 192.0.2.51 and 192.168.0.4. The phone has been assigned
192.168.0.130 on this occasion. The router has NAT set up on
192.0.2.62 to enabre the private address only systems to access the
Internet.
IIUC, both the public and the private subnets are on the same physical LAN ?
If I set up Zoiper to use the FQDN of the Asterisk box, it connects
I guess you mean the public domain name pointing to the public IPv4
addresse ?
just fine when I am not at home. However, when I am at home, it still
uses the public IP address (192.0.2.51) of the Asterisk box, which,
because it can see the phone directly, then responds using its own
private address (192.168.0.4) - this causes Zoiper to fail to register.
(it is clear from a tcpdump that this is happening)
That's really bad. I consider that Asterisk is faulty here. In theory
UDP is not connection-oriented but in practice many client/server
protocols based on UDP use some form of loose connection and work better
through stateful firewalls and NATs when the reply packet source address
is equal to the request packet destination address.
At no point does the router get involved in the communication between
the phone and the Asterisk box. To do so might make things easier, or
could just add an unnecessary layer of complexity.
How does the private client know that the public server address is
reachable directly on the LAN an not through the router ?
The answer to the problem could lie in several places:
- If I could somehow get the phone to use the NAT to communicate with
the Asterisk box, that would probably work.
You could use SNAT in the POSTROUTING chain on the router you can force
routing of the public server address from the client through the router.
Or you could use SNAT on the server (in the INPUT chain on recent enough
kernels) when the incoming packet has a private source address and a
public destination address.
However in either case SIP requires special by netfilter with the
conntrack and NAT SIP handler.
- If I could get the phone to pick up the private address of the
Asterisk box rather than the public one, that would probably work. I
have tried setting up to do this with dnsmasq, but the IPv6 settings
for DNS cause this to be overridden. If I could somehow change the
priority of this on the phone, it would help.
All the IPv4 and IPv6 nameservers used by the client must resolve the
name into the private address. If they also serve the public zone, you
must set up "split DNS" to server different versions for private and
public clients.
Reply to: