[Firewall] NAT access from the LAN

Emmanuel Revah stsil at manurevah.com
Tue May 14 13:12:03 CEST 2013


I've setup a server with a single public IP that hosts virtual machines 
using LAN IPs which host services such as HTTP.

 From the outside, NAT works, I can access the various services. The 
issue is with the VMs on the LAN, while they can ping the public IP and 
access it's SSH port (opened via OPEN_TCP), they cannot access anything 
NATted (NAT_FORWARD_TCP) like the services hosted by the other machines 
unless they use their LAN IPs.

At some point, before fiddling with some settings I suppose, I had this 
in the logs (trimmed). I've not managed to get any more of these logs:
May 14 11:42:33 host kernel: [32820839.481862] AIF:LAN-INPUT denied: 
IN=virbr1 OUT= PHYSIN=vnet2 MAC=fe:.. SRC= DST= LEN=60 
TOS=0x08 PREC=0x00 TTL=64 ID=35420 DF PROTO=TCP SPT=44555 DPT=80 

If anyone has any ideas to share it could make my day.

Emmanuel Revah

More information about the Firewall mailing list