On Thu, Jun 10, 2010 at 10:51 AM, Arun Khan <[email protected]> wrote: > I have a MPLS VPN setup connecting 3 locations, with one of the > locations being the GW to the Internet (for all three locations). > The GW has one public static IP with iptables FireWall (FW). > > SNAT handles outgoing connections to the Internet for all three > locations (different private IP nets) > > There are services within the VPN LAN at two locations that need to be > made accessible to a set of "select" IPs connecting from the Internet > e.g. ERP, DVR surveillance, IP camera. > > I have set up DNAT rules for each "opened" service as shown below. > NB: EXTIF and EXTIP are defined at the begining of the iptables shell > script and default FORWARD rule is DROP > > # DNAT to give access to DVR machine @ 172.16.0.131:80 > iptables -t nat -A PREROUTING -p tcp -i $EXTIF -s <ext_IP_1> -d $EXTIP > --dport 8282 -j DNAT --to-destination 172.16.0.131:80 > iptables -t nat -A PREROUTING -p tcp -i $EXTIF -s <ext_IP_2> -d $EXTIP > --dport 8282 -j DNAT --to-destination 172.16.0.131:80 > iptables -t nat -A PREROUTING -p tcp -i $EXTIF -s <ext_IP_3> -d $EXTIP > --dport 8282 -j DNAT --to-destination 172.16.0.131:80 > iptables -A FORWARD -p tcp -i $EXTIF -o $INTIF2 -d 172.16.0.131 > --dport 80 -j ACCEPT > > The above strategy is working for services that are on Linux (Apache) > without pop up windows but not on services with pop up. > > The error conditions are different for each service. > > For the specific example of the DVR box, When I type: > http://<EXTIP>:8282/ in my browser (the IP number is one of the > ext_IP_? in above rule) I get: > > <error code> > 400 Bad Request > Your client has issued a malformed or illegal request. > </error code> > > Instead of the pop up box that one gets when connecting to the same > unit from workstations on the VPN LAN. > > Any hints/suggestions to debug and determine the location of the > problem welcome. > > TIA
Arun, We are there to help you. Don't worry. Your mail is too heavy for me right now. I am in the middle of many things. I will fwd this to my other account, take a look , think and mail back to LUG. Hang on. Meanwhile, I suggest that you leave out MPLS and DVR and so on and just give us what you think is the problem. People get worried when they look at terms they dunno. Though I know MPLS quite well from a theoretical angle I dunno anything from a practical standpoint. Anyway I will get back soon. -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
