Hello, Mart Frauenlob a écrit : > > Nick Peirson wrote: >> >> We've got a couple of servers with external IP addresses NAT'd to internal >> IP addresses. Unfortunately the firewall that's performing the NAT isn't >> under our control and we have a problem where the servers can't access each >> other via their external IPs. This is a common problem. >> This causes a problem when we use domain names >> on the servers, as the DNS lookup returns the external IP address. Ideally >> I'd like to avoid maintaing hosts files or an internal DNS server. >> >> I looked to solve this with a iptables rule on each of the servers as >> follows: >> iptables -t mangle -A PREROUTING -d 1.1.1.32/29 -j NETMAP --to 2.2.2.32/29 >> >> where 1.1.1.32/29 is the range of external IPs and 2.2.2.32/29 is the range >> of internal IPs. Note : the range 192.0.2.0/24 is available and reserved for examples and documentation. Feel free to use is instead of addresses allocated to someone else. >> I was expecting this to map the IP address from the >> external to the internal IP. Assuming that 1.1.1.32+n maps to 2.2.2.32+n. >> Firstly, I'm not sure if this would work at all, and if I'm heading in >> completely the wrong direction and someone has a better solution, I'd be >> happy to hear it. Can't you just assign the external addresses to the servers as secondary addresses ? >> Secondly, if I've got the right idea my implementation is a little wrong. >> When I run the command, I get "iptables: Invalid argument", which doesn't >> provide much info, and I'm not sure how to go about debugging. > > wrong table, should be the nat table. Wrong chain too. This is locally generated traffic, so the right chain is OUTPUT, not PREROUTING. > I'd try the following: > > INT_NET= > EXT_NET= > SERVER_EXT_IP= > SERVER_INT_IP= > > # select only packets with source = external server ip and destination = > external net Why "source = external server ip" ? IIUC, the source will be the only address the server has, i.e. the internal one. > iptables -t nat -A PREROUTING -s $SERVER_EXT_IP -d $EXT_NET -j NETMAP > --to $INT_NET Wrong chain, see above. > # maybe needed that packets find the way back (over the same interface) > iptables -t nat -A POSTROUTING -s $SERVER_EXT_IP -d $INT_NET -j SNAT > --to-source $SERVER_INT_IP Same question as above, how could the packet have $SERVER_EXT_IP as a source ? > Don't forget to allow the traffic in the filter table FORWARD chain. No need to. There is no forwarding here, just direct communication between hosts in the same network. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
