[AusNOG] Redirecting a TCP port both directions

Mark Foster blakjak at blakjak.net
Tue Apr 8 12:11:47 EST 2014


Did I miss something?


    Private IPv4 address spaces

The Internet Engineering Task Force 
<https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force> (IETF) 
has directed the Internet Assigned Numbers Authority 
<https://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authority> 
(IANA) to reserve the following IPv4 address ranges for private 
networks, as published in RFC 1918 
<https://tools.ietf.org/html/rfc1918>:^[1] 
<https://en.wikipedia.org/wiki/Private_network#cite_note-1>

RFC1918 name 	IP address range 	number of addresses 	largest CIDR 
<https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing> block 
(subnet mask) 	host id size 	mask bits 	/classful 
<https://en.wikipedia.org/wiki/Classful_network>/ description^[Note 1] 
<https://en.wikipedia.org/wiki/Private_network#cite_note-3>
24-bit block 	10.0.0.0 - 10.255.255.255 	16,777,216 	10.0.0.0/8 
(255.0.0.0) 	24 bits 	8 bits 	single class A network 
<https://en.wikipedia.org/wiki/Class_A_network>
20-bit block 	172.16.0.0 - 172.31.255.255 	1,048,576 	172.16.0.0/12 
(255.240.0.0) 	20 bits 	12 bits 	16 contiguous class B networks
16-bit block 	192.168.0.0 - 192.168.255.255 	65,536 	192.168.0.0/16 
(255.255.0.0) 	16 bits 	16 bits 	256 contiguous class C networks


.... pretty sure that 172.31.1.x IP's fit nicely within that 20-bit 
block that encompasses everything from 172.16.0.0 to 172.31.255.255...

So where you've said 'non-RFC1918' you infact mean 'RFC1918', right? So 
you're having problems with AWS routing traffic for these RFC1918 
addresses to the Internet when that's not what you want?

Mark.

On 8/04/2014 2:07 p.m., Geordie Guy wrote:
> Hi Folks,
>
> Working with a B2B partner who has exposed non-RFC1918 addresses 
> 172.31.1.2 and 172.31.1.3 through a VPN tunnel to our environment, and 
> this works fine for hitting a web service down the tunnel from our 
> local networks.  We have a development footprint in AWS that is 
> shanking at this, because an overlying abstraction layer for how AWS 
> S3 instances route means that if it sees a non-RFC1918 range it sends 
> it out to the Internet regardless of any host or other level routes 
> that are specified.  I can set route add 172.31.1.0/24 
> <http://172.31.1.0/24> via a gateway or for that matter the loopback 
> until I go blue in the face and the server will merrily continue to 
> try and find the IP on the Internet.
>
> What I need to do, other than not allow design decisions that involve 
> non RFC-1918 addresses for private networks, is redirect a TCP port 
> (443) from an IP that I *CAN* hit inside our network, to the 
> 172.31.1.0 range down the tunnel, so that 1654287.r.msn.com 
> <http://1654287.r.msn.com> stops scratching his head at the traffic 
> trying to hit him from AWS.
>
> What do I do to accomplish this?  Netcat?  And before anyone says NAT, 
> there's already been enough bad decisions made here.
>
> Regards,
>
> Geordie
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140408/c78321f4/attachment.html>


More information about the AusNOG mailing list