On Sun, Feb 2, 2014 at 10:45 AM, Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote:
> Hello,
>
> Scott Mayo a écrit :
>> On Mon, Jan 27, 2014 at 2:48 PM, Ray Soucy <rps@xxxxxxxxx> wrote:
>>> The term you're looking for is "NAT reflection" or "hairpin NAT".
>>>
>>> If you're not running split DNS, then trying to reach a system via its
>>> "outside" IP from an internal system will present a problem because
>>> the source IP of the request is seen as on-link by the server, so the
>>> server responds directly from an unexpected source IP and the
>>> requesting host drops the request.
>>>
>>> You can get around this issue by NATing the return traffic when its to
>>> and from the internal network.
>>>
>>> Assuming that your inside interface is eth1, and your inside IP
>>> network is 192.168.0.0/23:
>>>
>>> iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 -j
>>> MASQUERADE
>
> Instead of masquerading I would suggest to 1:1 map the source addresses
> to a different (unused) private subnet, so that the source address seen
> by the final server can be mapped back to the real source address.
>
> E.g. :
> iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 \
> -j NETMAP --to 192.168.8.0/23
>
Assuming 0.1 is the gateway, how about adding to its firewall
rules something like
iptables -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/24 -j
SNAT --to-source 192.168.0.1
(Adjust as needed)
>> That did not seem to work either. Getting the same results. Thanks.
>
> Also make sure that "reflected" packets from eth1 to eth1 (replace with
> the real internal interface name) in the FORWARD chain are ACCEPTed.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
