[AusNOG] Redirecting a TCP port both directions

Mark Foster blakjak at blakjak.net
Tue Apr 8 12:18:48 EST 2014


Did you raise a fault with AWS? If they've 'misdefined' RFC1918 perhaps 
they simply need to ... fix it?



On 8/04/2014 2:16 p.m., Geordie Guy wrote:
> Yeah OK let me clarify, you didn't miss something, I did.
>
> 172.31.1.2 may be inside RFC1918, but I don't think the AWS systems 
> have a copy of the RFC as text and use it, there's another set of 
> rules it uses (that may be a subset of RFC1918 - maybe 10.0.0.0/8 
> <http://10.0.0.0/8>) that are the only ones it'll allow for local 
> routing and down tunnels to on-premise environments.  I think *glaring 
> angrlly at the console*, actually it'll only allow 172.16.0.0/16 
> <http://172.16.0.0/16> down tunnels or locally and sends 172.31.0.0/16 
> <http://172.31.0.0/16> to the Internet.
>
> Either way, I need to redirect a socket.
>
>
> On Tue, Apr 8, 2014 at 12:11 PM, Mark Foster <blakjak at blakjak.net 
> <mailto:blakjak at blakjak.net>> wrote:
>
>     Did I miss something?
>
>
>         Private IPv4 address spaces
>
>     The Internet Engineering Task Force
>     <https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force>
>     (IETF) has directed the Internet Assigned Numbers Authority
>     <https://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authority> (IANA)
>     to reserve the following IPv4 address ranges for private networks,
>     as published in RFC 1918
>     <https://tools.ietf.org/html/rfc1918>:^[1]
>     <https://en.wikipedia.org/wiki/Private_network#cite_note-1>
>
>     RFC1918 name 	IP address range 	number of addresses 	largest CIDR
>     <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing>
>     block (subnet mask) 	host id size 	mask bits 	/classful
>     <https://en.wikipedia.org/wiki/Classful_network>/
>     description^[Note 1]
>     <https://en.wikipedia.org/wiki/Private_network#cite_note-3>
>     24-bit block 	10.0.0.0 - 10.255.255.255 	16,777,216 	10.0.0.0/8
>     <http://10.0.0.0/8> (255.0.0.0) 	24 bits 	8 bits 	single class A
>     network <https://en.wikipedia.org/wiki/Class_A_network>
>     20-bit block 	172.16.0.0 - 172.31.255.255 	1,048,576
>     172.16.0.0/12 <http://172.16.0.0/12> (255.240.0.0) 	20 bits 	12
>     bits 	16 contiguous class B networks
>     16-bit block 	192.168.0.0 - 192.168.255.255 	65,536
>     192.168.0.0/16 <http://192.168.0.0/16> (255.255.0.0) 	16 bits 	16
>     bits 	256 contiguous class C networks
>
>
>     .... pretty sure that 172.31.1.x IP's fit nicely within that
>     20-bit block that encompasses everything from 172.16.0.0 to
>     172.31.255.255...
>
>     So where you've said 'non-RFC1918' you infact mean 'RFC1918',
>     right? So you're having problems with AWS routing traffic for
>     these RFC1918 addresses to the Internet when that's not what you want?
>
>     Mark.
>
>
>     On 8/04/2014 2:07 p.m., Geordie Guy wrote:
>>     Hi Folks,
>>
>>     Working with a B2B partner who has exposed non-RFC1918 addresses
>>     172.31.1.2 and 172.31.1.3 through a VPN tunnel to our
>>     environment, and this works fine for hitting a web service down
>>     the tunnel from our local networks.  We have a development
>>     footprint in AWS that is shanking at this, because an overlying
>>     abstraction layer for how AWS S3 instances route means that if it
>>     sees a non-RFC1918 range it sends it out to the Internet
>>     regardless of any host or other level routes that are specified.
>>      I can set route add 172.31.1.0/24 <http://172.31.1.0/24> via a
>>     gateway or for that matter the loopback until I go blue in the
>>     face and the server will merrily continue to try and find the IP
>>     on the Internet.
>>
>>     What I need to do, other than not allow design decisions that
>>     involve non RFC-1918 addresses for private networks, is redirect
>>     a TCP port (443) from an IP that I *CAN* hit inside our network,
>>     to the 172.31.1.0 range down the tunnel, so that
>>     1654287.r.msn.com <http://1654287.r.msn.com> stops scratching his
>>     head at the traffic trying to hit him from AWS.
>>
>>     What do I do to accomplish this?  Netcat?  And before anyone says
>>     NAT, there's already been enough bad decisions made here.
>>
>>     Regards,
>>
>>     Geordie
>>
>>
>>     _______________________________________________
>>     AusNOG mailing list
>>     AusNOG at lists.ausnog.net  <mailto:AusNOG at lists.ausnog.net>
>>     http://lists.ausnog.net/mailman/listinfo/ausnog
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140408/80e6832d/attachment.html>


More information about the AusNOG mailing list