Hello!
Is it possible to make double nat port forward? Topology:
SOME INTERNET MACHINE
1.1.1.1 (real public IP)
V
OUTER_GW
eth0: 2.2.2.228/27 (real public IP)
eth1: 192.168.1.1/24
V
INNER_GW
eth0: 192.168.1.2/24
eth1: 2.2.2.225/27 (fake public IP)
V
HOST
eth0: 2.2.2.249/27 (fake public IP)
I'm trying to set up simulated "real" environment for testing my
webserver. I plan to remote desktop into that subnet through double
port forwards and see how the server behaves.
While OUTER_GW forwards port 222 to INNER_GW just fine, INNER_GW sees
the SYN packet the OUTER_GW has passed it but doesn't forward it to
HOST:
root@pm-inner-gw:~# tshark -Nm -i eth0 host ! 192.168.1.1
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.000000 1.1.1.1 -> 192.168.1.2 TCP 1271 > 222 [SYN] Seq=0
Win=65535 Len=0 MSS=1460
0.439790 192.168.1.2 -> 1.1.1.1 ICMP Destination unreachable (Host
unreachable)
0.440287 192.168.1.2 -> 1.1.1.1 ICMP Destination unreachable (Host
unreachable)
2.964403 1.1.1.1 -> 192.168.1.2 TCP 1271 > 222 [SYN] Seq=0
Win=65535 Len=0 MSS=1460
5.969749 192.168.1.2 -> 1.1.1.1 ICMP Destination unreachable (Host
unreachable)
Is there some sort of "security feature" in the kernel that doesn't
allow packets to be forwarded from IANA's "private IP" to a "public
IP"?
TIA,
Henno Täht
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
