netbsd-users: Re: inside-in redirects

Subject: Re: inside-in redirects
To: None <netbsd-users@netbsd.org>
From: Daniel Cox <dc@microbits.com.au>
List: netbsd-users
Date: 07/02/2003 07:34:40
redirect on the internal NIC to a local port eg. 7000

rdr le0 209.162.215.114 port 80 -> 127.0.0.1 port 7000 tcp

there is a simple program called bounce, setup to listen on 7000 and =
bounce to 10.0.0.6 on port 80

you can safely run multiple instances of bounce for different ports - note =
that a new process is created for each connection

rinetd is much better with logging - it has a config file and runs one =
process for all ports and connections

split dns is very easy with tinydns


>>> Manuel Bouyer <bouyer@antioche.eu.org> 07/02/03 06:02 AM >>>
On Mon, Jun 30, 2003 at 01:45:09PM -0700, Aaron J. Grier wrote:
> this is somewhat related to Caloro's setup.  I have a NetBSD box
> providing NAT duties for my internal hosts, it looks like this:
>=20
> (10.0.0.0/8) <--> (10.0.0.1 on le0) NAT (publicIP on le1) <--> internet
>=20
> NAT is working fine, and port redirections are working from the internet
> to my internal machines.  I'd like to hit the next step: inside-in port
> redirects, IE connections to publicIP:80 need to be forwarded back into
> the internal network.  I'd like to do this to avoid split DNS for my
> public name.  right now hosts on the private network need to use private
> names to access local services.  Ideally they should be able to use
> either.
>=20
> the standard outside-in redirect isn't applicable in this case:
> map le1 10.0.0.0/16 -> 209.162.215.114/32 portmap tcp/udp 1025:65000
> map le1 10.0.0.0/16 -> 209.162.215.114/32
>=20
> rdr le1 0/0 port 80 -> 10.0.0.6 port 80 tcp
>=20
> I've tried adding the following, but it doesn't seem to work:
>=20
> rdr le0 10.0.0.0/8 port 80 -> 10.0.0.6 port 80 tcp

No, this can't work, because the reply from 10.0.0.6 to the client doesn't
get though the router, and so the reply isn't translated.
The client cnnected to publicip:80, and it gets replies from 10.0.0.6:80.

What I would do, in your case, is split 10.0.0.0/8 in 2 10.0.0.0/16.
Put your server on one, the clients on the others, and an alias on the
le0 interface so that the router is in both. Now all traffic between the
client and server will go though the router.

--=20
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 24 ans d'experience feront toujours la difference
--