Its been a while since I researched it, but I think there was something about the way netfilter_conntrac tracks the NAT sessions that prevents the hairpin nat from working. I never figured out a way around it and no one on google was helpful either.
The usual solution is to put a dns entry in your internal dns server to point the domain name to the internal ip of the web site. ------------------ Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote: > Can't I do another nat rule? > > On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote: >> It sounds like you're a victim of hairpin natting. Very frustrating. >> Iptables doesnt do it (that I know of.) I first encountered this on a >> PIX firewall years ago and thought it was an absurd limitation >> (then I >> found out my beloved linux couldn't do it either and was crushed). >> Cisco fixed it in v7 of the PIX software IIRC but iptables still >> can't >> do it. >> >> ------------------ >> Aubrey Wells >> Senior Engineer >> Shelton | Johns Technology Group >> A Vyatta Ready Partner >> www.sheltonjohns.com >> >> >> >> >> >> On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote: >> >>> John just told me he can get to the page too. >>>> From inside the lan I am going to a browser and typing >>> www.nombyte.com. And it doesn't work? >>> >>> Nate >>> >>> On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote: >>>> *shrug* same here >>>> >>>> Are you trying to hit the natted address from inside the LAN that >>>> is >>>> being natted to? Hairpin NAT doesnt work in iptables... >>>> >>>> ------------------ >>>> Aubrey Wells >>>> Senior Engineer >>>> Shelton | Johns Technology Group >>>> A Vyatta Ready Partner >>>> www.sheltonjohns.com >>>> >>>> >>>> >>>> >>>> >>>> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: >>>> >>>>> I just connected and see the Apache 2 test page running on CentOS >>>>> >>>>> John >>>>> >>>>> >>>>> >>>>> Nathan McBride wrote: >>>>>> First off I appreciate help from everyone, this is a nice >>>>>> change to >>>>>> some >>>>>> mailing lists I'm used to. Unfortunately, I am still having the >>>>>> same >>>>>> problem. I'm giving out real information, probably shouldn't, >>>>>> but >>>>>> that's how frustrated I am. I just get an unable to connect >>>>>> error. The >>>>>> firewalls are fine I promise. I can see the page on >>>>>> 192.168.0.105 >>>>>> from >>>>>> inside the lan, and I can see and use the webgui of the router >>>>>> just >>>>>> fine. Altho I did disable it of course since I want the port >>>>>> forwarded. >>>>>> In the ssh example sent to me which is below, I notice that the >>>>>> address >>>>>> are just numbers where mine have "" around them. Does this >>>>>> matter? Can >>>>>> anyone please give any suggestions? >>>>>> >>>>>> Thanks alot, >>>>>> Nate >>>>>> >>>>>> My domain is: >>>>>> www.nombyte.com >>>>>> >>>>>> The IP is: >>>>>> 71.62.193.105 >>>>>> >>>>>> Full Nat is: >>>>>> >>>>>> nat { >>>>>> rule 1 { >>>>>> type: "destination" >>>>>> inbound-interface: "eth0" >>>>>> protocols: "tcp" >>>>>> source { >>>>>> network: "0.0.0.0/0" >>>>>> } >>>>>> destination { >>>>>> address: "71.62.193.105" >>>>>> port-name http >>>>>> } >>>>>> inside-address { >>>>>> address: 192.168.0.105 >>>>>> } >>>>>> } >>>>>> rule 2 { >>>>>> type: "masquerade" >>>>>> outbound-interface: "eth0" >>>>>> protocols: "all" >>>>>> source { >>>>>> network: "192.168.0.0/24" >>>>>> } >>>>>> destination { >>>>>> network: "0.0.0.0/0" >>>>>> } >>>>>> } >>>>>> rule 3 { >>>>>> type: "masquerade" >>>>>> outbound-interface: "eth0" >>>>>> protocols: "all" >>>>>> source { >>>>>> network: "192.168.1.0/24" >>>>>> } >>>>>> destination { >>>>>> network: "0.0.0.0/0" >>>>>> } >>>>>> } >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: >>>>>>> Here's what I use to port-forward ssh; just adjust for address >>>>>>> (where >>>>>>> destination address is the public IP) and change it to http. >>>>>>> >>>>>>> rule 2 { >>>>>>> type: "destination" >>>>>>> inbound-interface: "eth0" >>>>>>> protocols: "tcp" >>>>>>> source { >>>>>>> network: 0.0.0.0/0 >>>>>>> } >>>>>>> destination { >>>>>>> address: 1.2.3.4 >>>>>>> port-name ssh >>>>>>> } >>>>>>> inside-address { >>>>>>> address: 10.0.0.30 >>>>>>> } >>>>>>> } >>>>>>> >>>>>>> Best, >>>>>>> Justin >>>>>>> >>>>>>> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]> >>>>>>> wrote: >>>>>>>> Can someone please help me get this worked out? >>>>>>>> Nate >>>>>>>> >>>>>>>> >>>>>>>>> Ok these are my nat rules now, I didn't see a command to >>>>>>>>> change >>>>>> the rule >>>>>>>>> numbers so i just redid them all by hand. It still doesn't >>>>>>>>> work. >>>>>>>>> >>>>>>>>> rule 1 { >>>>>>>>> type: "destination" >>>>>>>>> inbound-interface: "eth0" >>>>>>>>> protocols: "tcp" >>>>>>>>> destination { >>>>>>>>> address: "71.62.193.105" >>>>>>>>> port-name http >>>>>>>>> } >>>>>>>>> inside-address { >>>>>>>>> address: 192.168.0.105 >>>>>>>>> } >>>>>>>>> } >>>>>>>>> rule 2 { >>>>>>>>> type: "masquerade" >>>>>>>>> outbound-interface: "eth0" >>>>>>>>> protocols: "all" >>>>>>>>> source { >>>>>>>>> network: "192.168.0.0/24" >>>>>>>>> } >>>>>>>>> destination { >>>>>>>>> network: "0.0.0.0/0" >>>>>>>>> } >>>>>>>>> } >>>>>>>>> rule 3 { >>>>>>>>> type: "masquerade" >>>>>>>>> outbound-interface: "eth0" >>>>>>>>> protocols: "all" >>>>>>>>> source { >>>>>>>>> network: "192.168.1.0/24" >>>>>>>>> } >>>>>>>>> destination { >>>>>>>>> network: "0.0.0.0/0" >>>>>>>>> } >>>>>>>>> } >>>>>>>>> >>>>>>>>> Nate >>>>>>>>> >>>>>>>>> On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: >>>>>>>>>> Hi Nate, >>>>>>>>>> >>>>>>>>>> The "inside-address" is the internal (private) IP address of >>>>>> your Web server, which in your case is 192.168.0.105. The >>>>>> "destination >>>>>> address" should actually be the public IP address that outside >>>>>> clients >>>>>> will use to access your server, so usually this is the public IP >>>>>> address >>>>>> of your router. >>>>>>>>>> An-Cheng >>>>>>>>>> >>>>>>>>>> Nathan McBride wrote: >>>>>>>>>>> I went and looked at the old docs. I thought I set them up >>>>>> correctly >>>>>>>>>>> but aparently I didn't. I'll im trying to do is to get >>>>>>>>>>> people >>>>>> on the >>>>>>>>>>> internet to view the website on my comp (192.168.0.105). >>>>>>>>>>> The >>>>>> only >>>>>>>>>>> difference that i noticed when I tried to commit the example >>>>>> in the old >>>>>>>>>>> docs was that vc3 requires an 'inside-address'. Could >>>>>>>>>>> someone >>>>>> please >>>>>>>>>>> help me correct this to get it working? >>>>>>>>>>> >>>>>>>>>>> rule 3 { >>>>>>>>>>> type: "destination" >>>>>>>>>>> inbound-interface: "eth0" >>>>>>>>>>> protocols: "tcp" >>>>>>>>>>> destination { >>>>>>>>>>> address: "192.168.0.105" >>>>>>>>>>> port-name http >>>>>>>>>>> } >>>>>>>>>>> inside-address { >>>>>>>>>>> address: 192.168.0.105 <-- didn't know what to put >>>>>> here >>>>>>>>>>> exactly... >>>>>>>>>>> } >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Vyatta-users mailing list >>>>>>>>> Vyatta-users@mailman.vyatta.com >>>>>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >>>>>>>> _______________________________________________ >>>>>>>> Vyatta-users mailing list >>>>>>>> Vyatta-users@mailman.vyatta.com >>>>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >>>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Vyatta-users mailing list >>>>>> Vyatta-users@mailman.vyatta.com >>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >>>>>> >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Vyatta-users mailing list >>>>> Vyatta-users@mailman.vyatta.com >>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >>>> >>> >>> _______________________________________________ >>> Vyatta-users mailing list >>> Vyatta-users@mailman.vyatta.com >>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >> > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users