[Firewall] NAT access from the LAN

Lonnie Abelbeck lists at lonnie.abelbeck.com
Tue May 14 15:28:11 CEST 2013


Hi Emmanuel,

Starting with AIF 2.0.1d, the nat-loopback plugin, when enabled, should do what you want.  The default nat-loopback.conf values should be a good start.

Lonnie


On May 14, 2013, at 6:12 AM, Emmanuel Revah wrote:

> Hello,
> 
> 
> I've setup a server with a single public IP that hosts virtual machines using LAN IPs which host services such as HTTP.
> 
> 
> From the outside, NAT works, I can access the various services. The issue is with the VMs on the LAN, while they can ping the public IP and access it's SSH port (opened via OPEN_TCP), they cannot access anything NATted (NAT_FORWARD_TCP) like the services hosted by the other machines unless they use their LAN IPs.
> 
> 
> At some point, before fiddling with some settings I suppose, I had this in the logs (trimmed). I've not managed to get any more of these logs:
> -----------------------------------
> May 14 11:42:33 host kernel: [32820839.481862] AIF:LAN-INPUT denied: IN=virbr1 OUT= PHYSIN=vnet2 MAC=fe:.. SRC=10.0.0.2 DST=1.2.3.4 LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=35420 DF PROTO=TCP SPT=44555 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> -----------------------------------
> 
> 
> If anyone has any ideas to share it could make my day.
> 
> 
> 
> -- 
> Emmanuel Revah
> http://manurevah.com
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> 



More information about the Firewall mailing list