access problem

access problem

[Leonardo Carneiro]

Hi everyone.

I'm new in the list and hope have a nice time here.
First of all, sorry about my poor enlgish, i'm from Brasil.

I've got a standard scenario with a private network (192.168.1.0/24) 
beeing natted by a internet server (192.168.1.1) running iptables 1.3.0.

In the private network I have a application server (192.168.1.2) running 
a service on port 5222. The port is properly forwarded in internet 
server, and users across the internet can access the service through the 
public IP of the internet server.

Users on the private network can access the service through the private 
IP of the server, but cannot access using the public ip. Accessing using 
the public ip would be very usefull, since lots of users have notebooks 
and they access the service inside and outside the private network

those are interface infos and the rules forwarding the port to the 
application server:
eth0: public IP
eth1: private network, 192.168.1.1

iptables -A PREROUTING -p tcp -m tcp -d [private_ip] -i eth0 --dport 
5222 -j DNAT --to-destination 192.168.1.2
iptables -A FORWARD -p tcp -m tcp -d 192.168.1.2 -i eth0 -o eth1 --dport 
5222 -j ACCEPT

I've done some tests, adding some rules like

iptables -A PREROUTING -p tcp -m tcp -d [private_ip] -i eth1 --dport 
5222 -j DNAT --to-destination 192.168.1.2
iptables -A FORWARD -p tcp -m tcp -d 192.168.1.2 -i eth0 -o eth1 --dport 
5222 -j ACCEPT

or just

iptables -A PREROUTING -p tcp -m tcp -d [private_ip] -i eth1 --dport 
5222 -j DNAT --to-destination 192.168.1.2

but i just cannot connect using the public ip =S

sometimes the server answer the request, but using the private ip, no 
the public ip requested by the host, and sometimes the server just not 
answer the request.

any ideas how can i solve this?

tks in advance.

Re: access problem

[Leonardo Carneiro]

Hi again everyone. Sorry for revivin a old topic, but i solved the 
problem. just did a SNAT. tks for the help anyway.

    -A POSTROUTING -p tcp -m tcp -d 192.168.1.2 --dport 5222 -j SNAT
    --to-source 192.168.1.1


Brian Austin - Standard Universal escreveu:
> spend $10.
>
> register a domain.
>
> use split DNS as described below.
>
> :-)
>
> b
>
>
> Leonardo Carneiro wrote:
>> Hi Paulo,
>>
>> tks for the tip, i already have a internal DNS, but i don't have a 
>> external one =/
>>
>> anyother ideas?
>>
>>
>> paulobruck1 escreveu:
>>> Em Seg, 2009-03-16 às 16:41 -0300, Leonardo Carneiro escreveu:
>>>  
>>>> Hi everyone.
>>>>     
>>>
>>> Hi Leonardo
>>>
>>>  
>>>> I'm new in the list and hope have a nice time here.
>>>> First of all, sorry about my poor enlgish, i'm from Brasil.
>>>>
>>>>     
>>> welcome...80)
>>>
>>>
>>>  
>>>> I've got a standard scenario with a private network 
>>>> (192.168.1.0/24) beeing natted by a internet server (192.168.1.1) 
>>>> running iptables 1.3.0.
>>>>
>>>> In the private network I have a application server (192.168.1.2) 
>>>> running a service on port 5222. The port is properly forwarded in 
>>>> internet server, and users across the internet can access the 
>>>> service through the public IP of the internet server.
>>>>
>>>> Users on the private network can access the service through the 
>>>> private IP of the server, but cannot access using the public ip. 
>>>> Accessing using the public ip would be very usefull, since lots of 
>>>> users have notebooks and they access the service inside and outside 
>>>> the private network
>>>>
>>>> those are interface infos and the rules forwarding the port to the 
>>>> application server:
>>>> eth0: public IP
>>>> eth1: private network, 192.168.1.1
>>>>
>>>>     
>>> If you like your intenal users use this ip, install a Internal DNS for
>>> them  and use at your externat ip use a dns too. Example:
>>>
>>> Internal DNS
>>> aplicationsserver  IN A 192.168.1.1
>>>
>>> EXternal DNS
>>> applicationserver IN A XXX.XXX.XXX.XXX
>>>                  ( your public IP that is redirect to 192.168.1.1)
>>>
>>>
>>> Thats all...
>>>
>>>
>>> best regards  
>>>
>>>  
>>>> iptables -A PREROUTING -p tcp -m tcp -d [private_ip] -i eth0 
>>>> --dport 5222 -j DNAT --to-destination 192.168.1.2
>>>> iptables -A FORWARD -p tcp -m tcp -d 192.168.1.2 -i eth0 -o eth1 
>>>> --dport 5222 -j ACCEPT
>>>>
>>>> I've done some tests, adding some rules like
>>>>
>>>> iptables -A PREROUTING -p tcp -m tcp -d [private_ip] -i eth1 
>>>> --dport 5222 -j DNAT --to-destination 192.168.1.2
>>>> iptables -A FORWARD -p tcp -m tcp -d 192.168.1.2 -i eth0 -o eth1 
>>>> --dport 5222 -j ACCEPT
>>>>
>>>> or just
>>>>
>>>> iptables -A PREROUTING -p tcp -m tcp -d [private_ip] -i eth1 
>>>> --dport 5222 -j DNAT --to-destination 192.168.1.2
>>>>
>>>> but i just cannot connect using the public ip =S
>>>>
>>>> sometimes the server answer the request, but using the private ip, 
>>>> no the public ip requested by the host, and sometimes the server 
>>>> just not answer the request.
>>>>
>>>> any ideas how can i solve this?
>>>>
>>>> tks in advance.
>>>>
>>>>
>>>> -- 
>>>> To unsubscribe from this list: send the line "unsubscribe 
>>>> netfilter" in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>>     
>>>
>>>
>>>   
>>
>>
>>
>> -- 
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

-- 

*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarneiro@veltrac.com.br <mailto:lscarneiro@veltrac.com.br>
http://www.veltrac.com.br <http://www.veltrac.com.br/>
/Fone Com.: (43)2105-5601/
/Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/

	

Re: access problem

[Brian Austin - Standard Universal]

spend $10.

register a domain.

use split DNS as described below.

:-)

b


Leonardo Carneiro wrote:
> Hi Paulo,
>
> tks for the tip, i already have a internal DNS, but i don't have a 
> external one =/
>
> anyother ideas?
>
>
> paulobruck1 escreveu:
>> Em Seg, 2009-03-16 às 16:41 -0300, Leonardo Carneiro escreveu:
>>  
>>> Hi everyone.
>>>     
>>
>> Hi Leonardo
>>
>>  
>>> I'm new in the list and hope have a nice time here.
>>> First of all, sorry about my poor enlgish, i'm from Brasil.
>>>
>>>     
>> welcome...80)
>>
>>
>>  
>>> I've got a standard scenario with a private network (192.168.1.0/24) 
>>> beeing natted by a internet server (192.168.1.1) running iptables 
>>> 1.3.0.
>>>
>>> In the private network I have a application server (192.168.1.2) 
>>> running a service on port 5222. The port is properly forwarded in 
>>> internet server, and users across the internet can access the 
>>> service through the public IP of the internet server.
>>>
>>> Users on the private network can access the service through the 
>>> private IP of the server, but cannot access using the public ip. 
>>> Accessing using the public ip would be very usefull, since lots of 
>>> users have notebooks and they access the service inside and outside 
>>> the private network
>>>
>>> those are interface infos and the rules forwarding the port to the 
>>> application server:
>>> eth0: public IP
>>> eth1: private network, 192.168.1.1
>>>
>>>     
>> If you like your intenal users use this ip, install a Internal DNS for
>> them  and use at your externat ip use a dns too. Example:
>>
>> Internal DNS
>> aplicationsserver  IN A 192.168.1.1
>>
>> EXternal DNS
>> applicationserver IN A XXX.XXX.XXX.XXX
>>                  ( your public IP that is redirect to 192.168.1.1)
>>
>>
>> Thats all...
>>
>>
>> best regards   
>>
>>
>>  
>>> iptables -A PREROUTING -p tcp -m tcp -d [private_ip] -i eth0 --dport 
>>> 5222 -j DNAT --to-destination 192.168.1.2
>>> iptables -A FORWARD -p tcp -m tcp -d 192.168.1.2 -i eth0 -o eth1 
>>> --dport 5222 -j ACCEPT
>>>
>>> I've done some tests, adding some rules like
>>>
>>> iptables -A PREROUTING -p tcp -m tcp -d [private_ip] -i eth1 --dport 
>>> 5222 -j DNAT --to-destination 192.168.1.2
>>> iptables -A FORWARD -p tcp -m tcp -d 192.168.1.2 -i eth0 -o eth1 
>>> --dport 5222 -j ACCEPT
>>>
>>> or just
>>>
>>> iptables -A PREROUTING -p tcp -m tcp -d [private_ip] -i eth1 --dport 
>>> 5222 -j DNAT --to-destination 192.168.1.2
>>>
>>> but i just cannot connect using the public ip =S
>>>
>>> sometimes the server answer the request, but using the private ip, 
>>> no the public ip requested by the host, and sometimes the server 
>>> just not answer the request.
>>>
>>> any ideas how can i solve this?
>>>
>>> tks in advance.
>>>
>>>
>>> -- 
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>     
>>
>>
>>   
>
>
>
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: access problem

[Leonardo Carneiro]

Hi Paulo,

tks for the tip, i already have a internal DNS, but i don't have a 
external one =/

anyother ideas?


paulobruck1 escreveu:
> Em Seg, 2009-03-16 às 16:41 -0300, Leonardo Carneiro escreveu:
>   
>> Hi everyone.
>>     
>
> Hi Leonardo
>
>   
>> I'm new in the list and hope have a nice time here.
>> First of all, sorry about my poor enlgish, i'm from Brasil.
>>
>>     
> welcome...80)
>
>
>   
>> I've got a standard scenario with a private network (192.168.1.0/24) 
>> beeing natted by a internet server (192.168.1.1) running iptables 1.3.0.
>>
>> In the private network I have a application server (192.168.1.2) running 
>> a service on port 5222. The port is properly forwarded in internet 
>> server, and users across the internet can access the service through the 
>> public IP of the internet server.
>>
>> Users on the private network can access the service through the private 
>> IP of the server, but cannot access using the public ip. Accessing using 
>> the public ip would be very usefull, since lots of users have notebooks 
>> and they access the service inside and outside the private network
>>
>> those are interface infos and the rules forwarding the port to the 
>> application server:
>> eth0: public IP
>> eth1: private network, 192.168.1.1
>>
>>     
> If you like your intenal users use this ip, install a Internal DNS for
> them  and use at your externat ip use a dns too. Example:
>
> Internal DNS
> aplicationsserver  IN A 192.168.1.1
>
> EXternal DNS
> applicationserver IN A XXX.XXX.XXX.XXX
>                  ( your public IP that is redirect to 192.168.1.1)
>
>
> Thats all...
>
>
> best regards	
>
>
>   
>> iptables -A PREROUTING -p tcp -m tcp -d [private_ip] -i eth0 --dport 
>> 5222 -j DNAT --to-destination 192.168.1.2
>> iptables -A FORWARD -p tcp -m tcp -d 192.168.1.2 -i eth0 -o eth1 --dport 
>> 5222 -j ACCEPT
>>
>> I've done some tests, adding some rules like
>>
>> iptables -A PREROUTING -p tcp -m tcp -d [private_ip] -i eth1 --dport 
>> 5222 -j DNAT --to-destination 192.168.1.2
>> iptables -A FORWARD -p tcp -m tcp -d 192.168.1.2 -i eth0 -o eth1 --dport 
>> 5222 -j ACCEPT
>>
>> or just
>>
>> iptables -A PREROUTING -p tcp -m tcp -d [private_ip] -i eth1 --dport 
>> 5222 -j DNAT --to-destination 192.168.1.2
>>
>> but i just cannot connect using the public ip =S
>>
>> sometimes the server answer the request, but using the private ip, no 
>> the public ip requested by the host, and sometimes the server just not 
>> answer the request.
>>
>> any ideas how can i solve this?
>>
>> tks in advance.
>>
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>     
>
>
>