Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Hmm, gotcha. I guess that makes sense actually. I'll see if I can't figure it out. Nate On Wed, 2008-01-30 at 08:49 +0530, Go Wow wrote: Nathan i can even view it, from inside LAN you cannot view it, if i remember correctly someone said when you try to enter on NAT'ted ip from inside network the router doesnt know the address where it needs to forward your request. Now look im not a networking guru and not even iptables guru so dont know why it happens but you would like to even visit it from inside LAN then you need to add couple of more nat rules i guess. someone may help you with additional rules. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Nathan i can even view it, from inside LAN you cannot view it, if i remember correctly someone said when you try to enter on NAT'ted ip from inside network the router doesnt know the address where it needs to forward your request. Now look im not a networking guru and not even iptables guru so dont know why it happens but you would like to even visit it from inside LAN then you need to add couple of more nat rules i guess. someone may help you with additional rules. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
*shrug* same here Are you trying to hit the natted address from inside the LAN that is being natted to? Hairpin NAT doesnt work in iptables... -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I thought I set them up correctly but aparently I didn't. I'll im trying to do is to get people on the internet to view the website on my comp (192.168.0.105). The only difference that i noticed when I tried to commit the example in the old docs was that vc3 requires an 'inside-address'. Could someone please help me correct this to get it working? rule 3 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 192.168.0.105 port-name http } inside-address { address: 192.168.0.105 -- didn't know what to put here exactly... } }
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I thought I set them up correctly but aparently I didn't. I'll im trying to do is to get people on the internet to view the website on my comp (192.168.0.105). The only difference that i noticed when I tried to commit the example in the old docs was that vc3 requires an 'inside-address'. Could someone please help me correct this to get it working? rule 3 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 192.168.0.105 port-name http } inside-address { address: 192.168.0.105 -- didn't know what to put here exactly... } } ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Yeah I was about to say the same thing as Aubrey said, I had the same issue when i was trying to access the NATt'ed ip from inside the LAN, try to access it from outside any ip. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
John just told me he can get to the page too. From inside the lan I am going to a browser and typing www.nombyte.com. And it doesn't work? Nate On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote: *shrug* same here Are you trying to hit the natted address from inside the LAN that is being natted to? Hairpin NAT doesnt work in iptables... -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I thought I set them up correctly but aparently I didn't. I'll im trying to do is to get people on the internet to view the website on my comp (192.168.0.105). The only difference that i noticed when I tried to commit the example in the old docs was that vc3 requires an
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
It sounds like you're a victim of hairpin natting. Very frustrating. Iptables doesnt do it (that I know of.) I first encountered this on a PIX firewall years ago and thought it was an absurd limitation (then I found out my beloved linux couldn't do it either and was crushed). Cisco fixed it in v7 of the PIX software IIRC but iptables still can't do it. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote: John just told me he can get to the page too. From inside the lan I am going to a browser and typing www.nombyte.com. And it doesn't work? Nate On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote: *shrug* same here Are you trying to hit the natted address from inside the LAN that is being natted to? Hairpin NAT doesnt work in iptables... -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Its been a while since I researched it, but I think there was something about the way netfilter_conntrac tracks the NAT sessions that prevents the hairpin nat from working. I never figured out a way around it and no one on google was helpful either. The usual solution is to put a dns entry in your internal dns server to point the domain name to the internal ip of the web site. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote: Can't I do another nat rule? On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote: It sounds like you're a victim of hairpin natting. Very frustrating. Iptables doesnt do it (that I know of.) I first encountered this on a PIX firewall years ago and thought it was an absurd limitation (then I found out my beloved linux couldn't do it either and was crushed). Cisco fixed it in v7 of the PIX software IIRC but iptables still can't do it. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote: John just told me he can get to the page too. From inside the lan I am going to a browser and typing www.nombyte.com. And it doesn't work? Nate On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote: *shrug* same here Are you trying to hit the natted address from inside the LAN that is being natted to? Hairpin NAT doesnt work in iptables... -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Another way would be to have these kind of servers (which needs to be access from LAN ) on another subnet. Looks feasible to me. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Can't I do another nat rule? On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote: It sounds like you're a victim of hairpin natting. Very frustrating. Iptables doesnt do it (that I know of.) I first encountered this on a PIX firewall years ago and thought it was an absurd limitation (then I found out my beloved linux couldn't do it either and was crushed). Cisco fixed it in v7 of the PIX software IIRC but iptables still can't do it. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote: John just told me he can get to the page too. From inside the lan I am going to a browser and typing www.nombyte.com. And it doesn't work? Nate On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote: *shrug* same here Are you trying to hit the natted address from inside the LAN that is being natted to? Hairpin NAT doesnt work in iptables... -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Hi Nate, If the problem you're seeing is caused by external vs. internal DNS problem (external access is fine, but internal hosts resolve the server to the external address and therefore cannot access it), you might be able to work around it using NAT. See the following message from the list archive for more details. http://mailman.vyatta.com/pipermail/vyatta-users/2007-August/001741.html An-Cheng Nathan McBride wrote: hmmm, guess i should make an internal dns server then... :D nate On Tue, 2008-01-29 at 22:34 -0500, Aubrey Wells wrote: Its been a while since I researched it, but I think there was something about the way netfilter_conntrac tracks the NAT sessions that prevents the hairpin nat from working. I never figured out a way around it and no one on google was helpful either. The usual solution is to put a dns entry in your internal dns server to point the domain name to the internal ip of the web site. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote: Can't I do another nat rule? On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote: It sounds like you're a victim of hairpin natting. Very frustrating. Iptables doesnt do it (that I know of.) I first encountered this on a PIX firewall years ago and thought it was an absurd limitation (then I found out my beloved linux couldn't do it either and was crushed). Cisco fixed it in v7 of the PIX software IIRC but iptables still can't do it. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote: John just told me he can get to the page too. From inside the lan I am going to a browser and typing www.nombyte.com. And it doesn't work? Nate On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote: *shrug* same here Are you trying to hit the natted address from inside the LAN that is being natted to? Hairpin NAT doesnt work in iptables... -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers