<div dir="ltr">Yeah OK let me clarify, you didn't miss something, I did.<div><br></div><div>172.31.1.2 may be inside RFC1918, but I don't think the AWS systems have a copy of the RFC as text and use it, there's another set of rules it uses (that may be a subset of RFC1918 - maybe <a href="http://10.0.0.0/8">10.0.0.0/8</a>) that are the only ones it'll allow for local routing and down tunnels to on-premise environments.  I think *glaring angrlly at the console*, actually it'll only allow <a href="http://172.16.0.0/16">172.16.0.0/16</a> down tunnels or locally and sends <a href="http://172.31.0.0/16">172.31.0.0/16</a> to the Internet.</div>

<div><br></div><div>Either way, I need to redirect a socket.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 8, 2014 at 12:11 PM, Mark Foster <span dir="ltr"><<a href="mailto:blakjak@blakjak.net" target="_blank">blakjak@blakjak.net</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    Did I miss something?<br>
    <br>
    <h2><span>Private
        IPv4 address spaces</span></h2>
    <p>The <a href="https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force" title="Internet Engineering Task Force" target="_blank">Internet Engineering
        Task Force</a> (IETF) has directed the <a href="https://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authority" title="Internet Assigned Numbers Authority" target="_blank">Internet Assigned
        Numbers Authority</a> (IANA) to reserve the following IPv4
      address ranges for private networks, as published in <a rel="nofollow" href="https://tools.ietf.org/html/rfc1918" target="_blank">RFC 1918</a>:<sup><a href="https://en.wikipedia.org/wiki/Private_network#cite_note-1" target="_blank"><span>[</span>1<span>]</span></a></sup></p>


    <table>
      <tbody>
        <tr>
          <th>RFC1918 name</th>
          <th>IP address range</th>
          <th>number of addresses</th>
          <th>largest <a href="https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing" title="Classless Inter-Domain Routing" target="_blank">CIDR</a> block
            (subnet mask)</th>
          <th>host id size</th>
          <th>mask bits</th>
          <th><i><a href="https://en.wikipedia.org/wiki/Classful_network" title="Classful network" target="_blank">classful</a></i> description<sup><a href="https://en.wikipedia.org/wiki/Private_network#cite_note-3" target="_blank"><span>[</span>Note
                1<span>]</span></a></sup></th>
        </tr>
        <tr>
          <td>24-bit block</td>
          <td>10.0.0.0 - 10.255.255.255</td>
          <td>16,777,216</td>
          <td><a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a> (255.0.0.0)</td>
          <td>24 bits</td>
          <td>8 bits</td>
          <td>single <a href="https://en.wikipedia.org/wiki/Class_A_network" title="Class A network" target="_blank">class A
              network</a></td>
        </tr>
        <tr>
          <td>20-bit block</td>
          <td>172.16.0.0 - 172.31.255.255</td>
          <td>1,048,576</td>
          <td><a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a> (255.240.0.0)</td>
          <td>20 bits</td>
          <td>12 bits</td>
          <td>16 contiguous class B networks</td>
        </tr>
        <tr>
          <td>16-bit block</td>
          <td>192.168.0.0 - 192.168.255.255</td>
          <td>65,536</td>
          <td><a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a> (255.255.0.0)</td>
          <td>16 bits</td>
          <td>16 bits</td>
          <td>256 contiguous class C networks</td>
        </tr>
      </tbody>
    </table>
    <br>
    .... pretty sure that 172.31.1.x IP's fit nicely within that 20-bit
    block that encompasses everything from 172.16.0.0 to
    172.31.255.255...<br>
    <br>
    So where you've said 'non-RFC1918' you infact mean 'RFC1918', right?
    So you're having problems with AWS routing traffic for these RFC1918
    addresses to the Internet when that's not what you want?<br>
    <br>
    Mark.<div><div class="h5"><br>
    <br>
    <div>On 8/04/2014 2:07 p.m., Geordie Guy
      wrote:<br>
    </div>
    </div></div><blockquote type="cite"><div><div class="h5">
      <div dir="ltr">Hi Folks,
        <div><br>
        </div>
        <div>Working with a B2B partner who has exposed non-RFC1918
          addresses 172.31.1.2 and 172.31.1.3 through a VPN tunnel to
          our environment, and this works fine for hitting a web service
          down the tunnel from our local networks.  We have a
          development footprint in AWS that is shanking at this, because
          an overlying abstraction layer for how AWS S3 instances route
          means that if it sees a non-RFC1918 range it sends it out to
          the Internet regardless of any host or other level routes that
          are specified.  I can set route add <a href="http://172.31.1.0/24" target="_blank">172.31.1.0/24</a> via a gateway
          or for that matter the loopback until I go blue in the face
          and the server will merrily continue to try and find the IP on
          the Internet.</div>
        <div><br>
        </div>
        <div>What I need to do, other than not allow design decisions
          that involve non RFC-1918 addresses for private networks, is
          redirect a TCP port (443) from an IP that I *CAN* hit inside
          our network, to the 172.31.1.0 range down the tunnel, so that <span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif"><a href="http://1654287.r.msn.com" target="_blank">1654287.r.msn.com</a>
            stops scratching his head at the traffic trying to hit him
            from AWS.</span></div>
        <div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif"><br>
          </span></div>
        <div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif">What
            do I do to accomplish this?  Netcat?  And before anyone says
            NAT, there's already been enough bad decisions made here.</span></div>
        <div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif"><br>
          </span></div>
        <div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif">Regards,</span></div>
        <div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif"><br>
          </span></div>
        <div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif">Geordie</span></div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      </div></div><pre>_______________________________________________
AusNOG mailing list
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
    </blockquote>
    <br>
  </div>

</blockquote></div><br></div>