hmmm, guess i should make an internal dns server then... :D
nate
On Tue, 2008-01-29 at 22:34 -0500, Aubrey Wells wrote:
> Its been a while since I researched it, but I think there was
> something about the way netfilter_conntrac tracks the NAT sessions
> that prevents the hairpin nat from working. I never figured out a way
> around it and no one on google was helpful either.
>
> The usual solution is to put a dns entry in your internal dns server
> to point the domain name to the internal ip of the web site.
>
> ------------------
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
>
>
>
>
>
> On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote:
>
> > Can't I do another nat rule?
> >
> > On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote:
> >> It sounds like you're a victim of hairpin natting. Very frustrating.
> >> Iptables doesnt do it (that I know of.) I first encountered this on a
> >> PIX firewall years ago and thought it was an absurd limitation
> >> (then I
> >> found out my beloved linux couldn't do it either and was crushed).
> >> Cisco fixed it in v7 of the PIX software IIRC but iptables still
> >> can't
> >> do it.
> >>
> >> ------------------
> >> Aubrey Wells
> >> Senior Engineer
> >> Shelton | Johns Technology Group
> >> A Vyatta Ready Partner
> >> www.sheltonjohns.com
> >>
> >>
> >>
> >>
> >>
> >> On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:
> >>
> >>> John just told me he can get to the page too.
> >>>> From inside the lan I am going to a browser and typing
> >>> www.nombyte.com. And it doesn't work?
> >>>
> >>> Nate
> >>>
> >>> On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
> >>>> *shrug* same here
> >>>>
> >>>> Are you trying to hit the natted address from inside the LAN that
> >>>> is
> >>>> being natted to? Hairpin NAT doesnt work in iptables...
> >>>>
> >>>> ------------------
> >>>> Aubrey Wells
> >>>> Senior Engineer
> >>>> Shelton | Johns Technology Group
> >>>> A Vyatta Ready Partner
> >>>> www.sheltonjohns.com
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
> >>>>
> >>>>> I just connected and see the Apache 2 test page running on CentOS
> >>>>>
> >>>>> John
> >>>>>
> >>>>>
> >>>>>
> >>>>> Nathan McBride wrote:
> >>>>>> First off I appreciate help from everyone, this is a nice
> >>>>>> change to
> >>>>>> some
> >>>>>> mailing lists I'm used to. Unfortunately, I am still having the
> >>>>>> same
> >>>>>> problem. I'm giving out real information, probably shouldn't,
> >>>>>> but
> >>>>>> that's how frustrated I am. I just get an unable to connect
> >>>>>> error. The
> >>>>>> firewalls are fine I promise. I can see the page on
> >>>>>> 192.168.0.105
> >>>>>> from
> >>>>>> inside the lan, and I can see and use the webgui of the router
> >>>>>> just
> >>>>>> fine. Altho I did disable it of course since I want the port
> >>>>>> forwarded.
> >>>>>> In the ssh example sent to me which is below, I notice that the
> >>>>>> address
> >>>>>> are just numbers where mine have "" around them. Does this
> >>>>>> matter? Can
> >>>>>> anyone please give any suggestions?
> >>>>>>
> >>>>>> Thanks alot,
> >>>>>> Nate
> >>>>>>
> >>>>>> My domain is:
> >>>>>> www.nombyte.com
> >>>>>>
> >>>>>> The IP is:
> >>>>>> 71.62.193.105
> >>>>>>
> >>>>>> Full Nat is:
> >>>>>>
> >>>>>> nat {
> >>>>>> rule 1 {
> >>>>>> type: "destination"
> >>>>>> inbound-interface: "eth0"
> >>>>>> protocols: "tcp"
> >>>>>> source {
> >>>>>> network: "0.0.0.0/0"
> >>>>>> }
> >>>>>> destination {
> >>>>>> address: "71.62.193.105"
> >>>>>> port-name http
> >>>>>> }
> >>>>>> inside-address {
> >>>>>> address: 192.168.0.105
> >>>>>> }
> >>>>>> }
> >>>>>> rule 2 {
> >>>>>> type: "masquerade"
> >>>>>> outbound-interface: "eth0"
> >>>>>> protocols: "all"
> >>>>>> source {
> >>>>>> network: "192.168.0.0/24"
> >>>>>> }
> >>>>>> destination {
> >>>>>> network: "0.0.0.0/0"
> >>>>>> }
> >>>>>> }
> >>>>>> rule 3 {
> >>>>>> type: "masquerade"
> >>>>>> outbound-interface: "eth0"
> >>>>>> protocols: "all"
> >>>>>> source {
> >>>>>> network: "192.168.1.0/24"
> >>>>>> }
> >>>>>> destination {
> >>>>>> network: "0.0.0.0/0"
> >>>>>> }
> >>>>>> }
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
> >>>>>>> Here's what I use to port-forward ssh; just adjust for address
> >>>>>>> (where
> >>>>>>> destination address is the public IP) and change it to http.
> >>>>>>>
> >>>>>>> rule 2 {
> >>>>>>> type: "destination"
> >>>>>>> inbound-interface: "eth0"
> >>>>>>> protocols: "tcp"
> >>>>>>> source {
> >>>>>>> network: 0.0.0.0/0
> >>>>>>> }
> >>>>>>> destination {
> >>>>>>> address: 1.2.3.4
> >>>>>>> port-name ssh
> >>>>>>> }
> >>>>>>> inside-address {
> >>>>>>> address: 10.0.0.30
> >>>>>>> }
> >>>>>>> }
> >>>>>>>
> >>>>>>> Best,
> >>>>>>> Justin
> >>>>>>>
> >>>>>>> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]>
> >>>>>>> wrote:
> >>>>>>>> Can someone please help me get this worked out?
> >>>>>>>> Nate
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>> Ok these are my nat rules now, I didn't see a command to
> >>>>>>>>> change
> >>>>>> the rule
> >>>>>>>>> numbers so i just redid them all by hand. It still doesn't
> >>>>>>>>> work.
> >>>>>>>>>
> >>>>>>>>> rule 1 {
> >>>>>>>>> type: "destination"
> >>>>>>>>> inbound-interface: "eth0"
> >>>>>>>>> protocols: "tcp"
> >>>>>>>>> destination {
> >>>>>>>>> address: "71.62.193.105"
> >>>>>>>>> port-name http
> >>>>>>>>> }
> >>>>>>>>> inside-address {
> >>>>>>>>> address: 192.168.0.105
> >>>>>>>>> }
> >>>>>>>>> }
> >>>>>>>>> rule 2 {
> >>>>>>>>> type: "masquerade"
> >>>>>>>>> outbound-interface: "eth0"
> >>>>>>>>> protocols: "all"
> >>>>>>>>> source {
> >>>>>>>>> network: "192.168.0.0/24"
> >>>>>>>>> }
> >>>>>>>>> destination {
> >>>>>>>>> network: "0.0.0.0/0"
> >>>>>>>>> }
> >>>>>>>>> }
> >>>>>>>>> rule 3 {
> >>>>>>>>> type: "masquerade"
> >>>>>>>>> outbound-interface: "eth0"
> >>>>>>>>> protocols: "all"
> >>>>>>>>> source {
> >>>>>>>>> network: "192.168.1.0/24"
> >>>>>>>>> }
> >>>>>>>>> destination {
> >>>>>>>>> network: "0.0.0.0/0"
> >>>>>>>>> }
> >>>>>>>>> }
> >>>>>>>>>
> >>>>>>>>> Nate
> >>>>>>>>>
> >>>>>>>>> On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
> >>>>>>>>>> Hi Nate,
> >>>>>>>>>>
> >>>>>>>>>> The "inside-address" is the internal (private) IP address of
> >>>>>> your Web server, which in your case is 192.168.0.105. The
> >>>>>> "destination
> >>>>>> address" should actually be the public IP address that outside
> >>>>>> clients
> >>>>>> will use to access your server, so usually this is the public IP
> >>>>>> address
> >>>>>> of your router.
> >>>>>>>>>> An-Cheng
> >>>>>>>>>>
> >>>>>>>>>> Nathan McBride wrote:
> >>>>>>>>>>> I went and looked at the old docs. I thought I set them up
> >>>>>> correctly
> >>>>>>>>>>> but aparently I didn't. I'll im trying to do is to get
> >>>>>>>>>>> people
> >>>>>> on the
> >>>>>>>>>>> internet to view the website on my comp (192.168.0.105).
> >>>>>>>>>>> The
> >>>>>> only
> >>>>>>>>>>> difference that i noticed when I tried to commit the example
> >>>>>> in the old
> >>>>>>>>>>> docs was that vc3 requires an 'inside-address'. Could
> >>>>>>>>>>> someone
> >>>>>> please
> >>>>>>>>>>> help me correct this to get it working?
> >>>>>>>>>>>
> >>>>>>>>>>> rule 3 {
> >>>>>>>>>>> type: "destination"
> >>>>>>>>>>> inbound-interface: "eth0"
> >>>>>>>>>>> protocols: "tcp"
> >>>>>>>>>>> destination {
> >>>>>>>>>>> address: "192.168.0.105"
> >>>>>>>>>>> port-name http
> >>>>>>>>>>> }
> >>>>>>>>>>> inside-address {
> >>>>>>>>>>> address: 192.168.0.105 <-- didn't know what to put
> >>>>>> here
> >>>>>>>>>>> exactly...
> >>>>>>>>>>> }
> >>>>>>>>>>> }
> >>>>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>> Vyatta-users mailing list
> >>>>>>>>> [email protected]
> >>>>>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >>>>>>>> _______________________________________________
> >>>>>>>> Vyatta-users mailing list
> >>>>>>>> [email protected]
> >>>>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >>>>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Vyatta-users mailing list
> >>>>>> [email protected]
> >>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Vyatta-users mailing list
> >>>>> [email protected]
> >>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >>>>
> >>>
> >>> _______________________________________________
> >>> Vyatta-users mailing list
> >>> [email protected]
> >>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >>
> >
> > _______________________________________________
> > Vyatta-users mailing list
> > [email protected]
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
_______________________________________________
Vyatta-users mailing list
[email protected]
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
