[AusNOG] Redirecting a TCP port both directions

J Williams jphwilliams at gmail.com
Tue Apr 8 14:23:03 EST 2014 

Am using 172.31 addresses to AWS instances just fine.
Check that you are advertising the prefix to them, or have added the static
routes. Otherwise they will be following default.


On Tue, Apr 8, 2014 at 12:16 PM, Geordie Guy <elomis at gmail.com> wrote:

> Yeah OK let me clarify, you didn't miss something, I did.
>
> 172.31.1.2 may be inside RFC1918, but I don't think the AWS systems have a
> copy of the RFC as text and use it, there's another set of rules it uses
> (that may be a subset of RFC1918 - maybe 10.0.0.0/8) that are the only
> ones it'll allow for local routing and down tunnels to on-premise
> environments.  I think *glaring angrlly at the console*, actually it'll
> only allow 172.16.0.0/16 down tunnels or locally and sends 172.31.0.0/16to the Internet.
>
> Either way, I need to redirect a socket.
>
>
> On Tue, Apr 8, 2014 at 12:11 PM, Mark Foster <blakjak at blakjak.net> wrote:
>
>>  Did I miss something?
>>
>> Private IPv4 address spaces
>>
>> The Internet Engineering Task Force<https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force>(IETF) has directed the Internet
>> Assigned Numbers Authority<https://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authority>(IANA) to reserve the following IPv4 address ranges for private networks,
>> as published in RFC 1918 <https://tools.ietf.org/html/rfc1918>:[1]<https://en.wikipedia.org/wiki/Private_network#cite_note-1>
>>   RFC1918 name IP address range number of addresses largest CIDR<https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing>block (subnet mask) host
>> id size mask bits *classful
>> <https://en.wikipedia.org/wiki/Classful_network>* description[Note 1]<https://en.wikipedia.org/wiki/Private_network#cite_note-3>  24-bit
>> block 10.0.0.0 - 10.255.255.255 16,777,216 10.0.0.0/8 (255.0.0.0) 24 bits 8
>> bits single class A network<https://en.wikipedia.org/wiki/Class_A_network>  20-bit
>> block 172.16.0.0 - 172.31.255.255 1,048,576 172.16.0.0/12 (255.240.0.0) 20
>> bits 12 bits 16 contiguous class B networks  16-bit block 192.168.0.0 -
>> 192.168.255.255 65,536 192.168.0.0/16 (255.255.0.0) 16 bits 16 bits 256
>> contiguous class C networks
>> .... pretty sure that 172.31.1.x IP's fit nicely within that 20-bit block
>> that encompasses everything from 172.16.0.0 to 172.31.255.255...
>>
>> So where you've said 'non-RFC1918' you infact mean 'RFC1918', right? So
>> you're having problems with AWS routing traffic for these RFC1918 addresses
>> to the Internet when that's not what you want?
>>
>> Mark.
>>
>>
>> On 8/04/2014 2:07 p.m., Geordie Guy wrote:
>>
>> Hi Folks,
>>
>>  Working with a B2B partner who has exposed non-RFC1918 addresses
>> 172.31.1.2 and 172.31.1.3 through a VPN tunnel to our environment, and this
>> works fine for hitting a web service down the tunnel from our local
>> networks.  We have a development footprint in AWS that is shanking at this,
>> because an overlying abstraction layer for how AWS S3 instances route means
>> that if it sees a non-RFC1918 range it sends it out to the Internet
>> regardless of any host or other level routes that are specified.  I can set
>> route add 172.31.1.0/24 via a gateway or for that matter the loopback
>> until I go blue in the face and the server will merrily continue to try and
>> find the IP on the Internet.
>>
>>  What I need to do, other than not allow design decisions that involve
>> non RFC-1918 addresses for private networks, is redirect a TCP port (443)
>> from an IP that I *CAN* hit inside our network, to the 172.31.1.0 range
>> down the tunnel, so that 1654287.r.msn.com stops scratching his head at
>> the traffic trying to hit him from AWS.
>>
>>  What do I do to accomplish this?  Netcat?  And before anyone says NAT,
>> there's already been enough bad decisions made here.
>>
>>  Regards,
>>
>>  Geordie
>>
>>
>> _______________________________________________
>> AusNOG mailing listAusNOG at lists.ausnog.nethttp://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140408/1ba38a42/attachment.html>

More information about the AusNOG mailing list