Its been a while since I researched it, but I think there was
something about the way netfilter_conntrac tracks the NAT sessions
that prevents the hairpin nat from working. I never figured out a way
around it and no one on google was helpful either.
The usual solution is to put a dns entry in your internal dns server
to point the domain name to the internal ip of the web site.
------------------
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com
On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote:
> Can't I do another nat rule?
>
> On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote:
>> It sounds like you're a victim of hairpin natting. Very frustrating.
>> Iptables doesnt do it (that I know of.) I first encountered this on a
>> PIX firewall years ago and thought it was an absurd limitation
>> (then I
>> found out my beloved linux couldn't do it either and was crushed).
>> Cisco fixed it in v7 of the PIX software IIRC but iptables still
>> can't
>> do it.
>>
>> ------------------
>> Aubrey Wells
>> Senior Engineer
>> Shelton | Johns Technology Group
>> A Vyatta Ready Partner
>> www.sheltonjohns.com
>>
>>
>>
>>
>>
>> On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:
>>
>>> John just told me he can get to the page too.
>>>> From inside the lan I am going to a browser and typing
>>> www.nombyte.com. And it doesn't work?
>>>
>>> Nate
>>>
>>> On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
>>>> *shrug* same here
>>>>
>>>> Are you trying to hit the natted address from inside the LAN that
>>>> is
>>>> being natted to? Hairpin NAT doesnt work in iptables...
>>>>
>>>> ------------------
>>>> Aubrey Wells
>>>> Senior Engineer
>>>> Shelton | Johns Technology Group
>>>> A Vyatta Ready Partner
>>>> www.sheltonjohns.com
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
>>>>
>>>>> I just connected and see the Apache 2 test page running on CentOS
>>>>>
>>>>> John
>>>>>
>>>>>
>>>>>
>>>>> Nathan McBride wrote:
>>>>>> First off I appreciate help from everyone, this is a nice
>>>>>> change to
>>>>>> some
>>>>>> mailing lists I'm used to. Unfortunately, I am still having the
>>>>>> same
>>>>>> problem. I'm giving out real information, probably shouldn't,
>>>>>> but
>>>>>> that's how frustrated I am. I just get an unable to connect
>>>>>> error. The
>>>>>> firewalls are fine I promise. I can see the page on
>>>>>> 192.168.0.105
>>>>>> from
>>>>>> inside the lan, and I can see and use the webgui of the router
>>>>>> just
>>>>>> fine. Altho I did disable it of course since I want the port
>>>>>> forwarded.
>>>>>> In the ssh example sent to me which is below, I notice that the
>>>>>> address
>>>>>> are just numbers where mine have "" around them. Does this
>>>>>> matter? Can
>>>>>> anyone please give any suggestions?
>>>>>>
>>>>>> Thanks alot,
>>>>>> Nate
>>>>>>
>>>>>> My domain is:
>>>>>> www.nombyte.com
>>>>>>
>>>>>> The IP is:
>>>>>> 71.62.193.105
>>>>>>
>>>>>> Full Nat is:
>>>>>>
>>>>>> nat {
>>>>>> rule 1 {
>>>>>> type: "destination"
>>>>>> inbound-interface: "eth0"
>>>>>> protocols: "tcp"
>>>>>> source {
>>>>>> network: "0.0.0.0/0"
>>>>>> }
>>>>>> destination {
>>>>>> address: "71.62.193.105"
>>>>>> port-name http
>>>>>> }
>>>>>> inside-address {
>>>>>> address: 192.168.0.105
>>>>>> }
>>>>>> }
>>>>>> rule 2 {
>>>>>> type: "masquerade"
>>>>>> outbound-interface: "eth0"
>>>>>> protocols: "all"
>>>>>> source {
>>>>>> network: "192.168.0.0/24"
>>>>>> }
>>>>>> destination {
>>>>>> network: "0.0.0.0/0"
>>>>>> }
>>>>>> }
>>>>>> rule 3 {
>>>>>> type: "masquerade"
>>>>>> outbound-interface: "eth0"
>>>>>> protocols: "all"
>>>>>> source {
>>>>>> network: "192.168.1.0/24"
>>>>>> }
>>>>>> destination {
>>>>>> network: "0.0.0.0/0"
>>>>>> }
>>>>>> }
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
>>>>>>> Here's what I use to port-forward ssh; just adjust for address
>>>>>>> (where
>>>>>>> destination address is the public IP) and change it to http.
>>>>>>>
>>>>>>> rule 2 {
>>>>>>> type: "destination"
>>>>>>> inbound-interface: "eth0"
>>>>>>> protocols: "tcp"
>>>>>>> source {
>>>>>>> network: 0.0.0.0/0
>>>>>>> }
>>>>>>> destination {
>>>>>>> address: 1.2.3.4
>>>>>>> port-name ssh
>>>>>>> }
>>>>>>> inside-address {
>>>>>>> address: 10.0.0.30
>>>>>>> }
>>>>>>> }
>>>>>>>
>>>>>>> Best,
>>>>>>> Justin
>>>>>>>
>>>>>>> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]>
>>>>>>> wrote:
>>>>>>>> Can someone please help me get this worked out?
>>>>>>>> Nate
>>>>>>>>
>>>>>>>>
>>>>>>>>> Ok these are my nat rules now, I didn't see a command to
>>>>>>>>> change
>>>>>> the rule
>>>>>>>>> numbers so i just redid them all by hand. It still doesn't
>>>>>>>>> work.
>>>>>>>>>
>>>>>>>>> rule 1 {
>>>>>>>>> type: "destination"
>>>>>>>>> inbound-interface: "eth0"
>>>>>>>>> protocols: "tcp"
>>>>>>>>> destination {
>>>>>>>>> address: "71.62.193.105"
>>>>>>>>> port-name http
>>>>>>>>> }
>>>>>>>>> inside-address {
>>>>>>>>> address: 192.168.0.105
>>>>>>>>> }
>>>>>>>>> }
>>>>>>>>> rule 2 {
>>>>>>>>> type: "masquerade"
>>>>>>>>> outbound-interface: "eth0"
>>>>>>>>> protocols: "all"
>>>>>>>>> source {
>>>>>>>>> network: "192.168.0.0/24"
>>>>>>>>> }
>>>>>>>>> destination {
>>>>>>>>> network: "0.0.0.0/0"
>>>>>>>>> }
>>>>>>>>> }
>>>>>>>>> rule 3 {
>>>>>>>>> type: "masquerade"
>>>>>>>>> outbound-interface: "eth0"
>>>>>>>>> protocols: "all"
>>>>>>>>> source {
>>>>>>>>> network: "192.168.1.0/24"
>>>>>>>>> }
>>>>>>>>> destination {
>>>>>>>>> network: "0.0.0.0/0"
>>>>>>>>> }
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> Nate
>>>>>>>>>
>>>>>>>>> On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
>>>>>>>>>> Hi Nate,
>>>>>>>>>>
>>>>>>>>>> The "inside-address" is the internal (private) IP address of
>>>>>> your Web server, which in your case is 192.168.0.105. The
>>>>>> "destination
>>>>>> address" should actually be the public IP address that outside
>>>>>> clients
>>>>>> will use to access your server, so usually this is the public IP
>>>>>> address
>>>>>> of your router.
>>>>>>>>>> An-Cheng
>>>>>>>>>>
>>>>>>>>>> Nathan McBride wrote:
>>>>>>>>>>> I went and looked at the old docs. I thought I set them up
>>>>>> correctly
>>>>>>>>>>> but aparently I didn't. I'll im trying to do is to get
>>>>>>>>>>> people
>>>>>> on the
>>>>>>>>>>> internet to view the website on my comp (192.168.0.105).
>>>>>>>>>>> The
>>>>>> only
>>>>>>>>>>> difference that i noticed when I tried to commit the example
>>>>>> in the old
>>>>>>>>>>> docs was that vc3 requires an 'inside-address'. Could
>>>>>>>>>>> someone
>>>>>> please
>>>>>>>>>>> help me correct this to get it working?
>>>>>>>>>>>
>>>>>>>>>>> rule 3 {
>>>>>>>>>>> type: "destination"
>>>>>>>>>>> inbound-interface: "eth0"
>>>>>>>>>>> protocols: "tcp"
>>>>>>>>>>> destination {
>>>>>>>>>>> address: "192.168.0.105"
>>>>>>>>>>> port-name http
>>>>>>>>>>> }
>>>>>>>>>>> inside-address {
>>>>>>>>>>> address: 192.168.0.105 <-- didn't know what to put
>>>>>> here
>>>>>>>>>>> exactly...
>>>>>>>>>>> }
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Vyatta-users mailing list
>>>>>>>>> Vyatta-users@mailman.vyatta.com
>>>>>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>>>>>>>> _______________________________________________
>>>>>>>> Vyatta-users mailing list
>>>>>>>> Vyatta-users@mailman.vyatta.com
>>>>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Vyatta-users mailing list
>>>>>> Vyatta-users@mailman.vyatta.com
>>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Vyatta-users mailing list
>>>>> Vyatta-users@mailman.vyatta.com
>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>>>>
>>>
>>> _______________________________________________
>>> Vyatta-users mailing list
>>> Vyatta-users@mailman.vyatta.com
>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>>
>
> _______________________________________________
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
