Hello, Henno Täht a écrit : > > Is it possible to make double nat port forward? Sure it is. > SOME INTERNET MACHINE > 1.1.1.1 (real public IP) > > V > > OUTER_GW > eth0: 2.2.2.228/27 (real public IP) > eth1: 192.168.1.1/24 > > V > > INNER_GW > eth0: 192.168.1.2/24 > eth1: 2.2.2.225/27 (fake public IP) > > V > > HOST > eth0: 2.2.2.249/27 (fake public IP) Consider using addresses in the special range 192.0.2.0/24 reserved for examples and documentation instead of random addresses that are not allocated to you. See RFC 3330. > While OUTER_GW forwards port 222 to INNER_GW just fine, INNER_GW sees > the SYN packet the OUTER_GW has passed it but doesn't forward it to > HOST: > > root@pm-inner-gw:~# tshark -Nm -i eth0 host ! 192.168.1.1 > Running as user "root" and group "root". This could be dangerous. > Capturing on eth0 > 0.000000 1.1.1.1 -> 192.168.1.2 TCP 1271 > 222 [SYN] Seq=0 > Win=65535 Len=0 MSS=1460 > 0.439790 192.168.1.2 -> 1.1.1.1 ICMP Destination unreachable (Host > unreachable) ICMP host unreachable usually indicates an ARP failure for the next hop address. What happens on INNER_GW's eth1 and HOST's eth0 (IP or ARP) ? > Is there some sort of "security feature" in the kernel that doesn't > allow packets to be forwarded from IANA's "private IP" to a "public > IP"? Not AFAIK. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
