<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Geordie,</div><div><br></div><div>You could always look apache proxypass, if it's just web traffic. </div><div>

<br></div><div>SSL certificates would need to sit on the intermediate system, though. </div><div><br>Sent from my iPhone</div><div><br>On 8 Apr 2014, at 12:17 pm, Geordie Guy <<a href="mailto:elomis@gmail.com">elomis@gmail.com</a>> wrote:<br>

<br></div><div><div dir="ltr">Yeah OK let me clarify, you didn't miss something, I did.<div><br></div><div>172.31.1.2 may be inside RFC1918, but I don't think the AWS systems have a copy of the RFC as text and use it, there's another set of rules it uses (that may be a subset of RFC1918 - maybe <a href="http://10.0.0.0/8">10.0.0.0/8</a>) that are the only ones it'll allow for local routing and down tunnels to on-premise environments.  I think *glaring angrlly at the console*, actually it'll only allow <a href="http://172.16.0.0/16">172.16.0.0/16</a> down tunnels or locally and sends <a href="http://172.31.0.0/16">172.31.0.0/16</a> to the Internet.</div>

<div><br></div><div>Either way, I need to redirect a socket.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 8, 2014 at 12:11 PM, Mark Foster <span dir="ltr"><<a href="mailto:blakjak@blakjak.net" target="_blank">blakjak@blakjak.net</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  <div text="#000000" bgcolor="#FFFFFF">

    Did I miss something?<br>

    <br>

    <h2><span>Private

        IPv4 address spaces</span></h2>

    <p>The <a href="https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force" title="Internet Engineering Task Force" target="_blank">Internet Engineering

        Task Force</a> (IETF) has directed the <a href="https://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authority" title="Internet Assigned Numbers Authority" target="_blank">Internet Assigned

        Numbers Authority</a> (IANA) to reserve the following IPv4

      address ranges for private networks, as published in <a rel="nofollow" href="https://tools.ietf.org/html/rfc1918" target="_blank">RFC 1918</a>:<sup><a href="https://en.wikipedia.org/wiki/Private_network#cite_note-1" target="_blank"><span>[</span>1<span>]</span></a></sup></p>

    <table>

      <tbody>

        <tr>

          <th>RFC1918 name</th>

          <th>IP address range</th>

          <th>number of addresses</th>

          <th>largest <a href="https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing" title="Classless Inter-Domain Routing" target="_blank">CIDR</a> block

            (subnet mask)</th>

          <th>host id size</th>

          <th>mask bits</th>

          <th><i><a href="https://en.wikipedia.org/wiki/Classful_network" title="Classful network" target="_blank">classful</a></i> description<sup><a href="https://en.wikipedia.org/wiki/Private_network#cite_note-3" target="_blank"><span>[</span>Note

                1<span>]</span></a></sup></th>

        </tr>

        <tr>

          <td>24-bit block</td>

          <td>10.0.0.0 - 10.255.255.255</td>

          <td>16,777,216</td>

          <td><a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a> (255.0.0.0)</td>

          <td>24 bits</td>

          <td>8 bits</td>

          <td>single <a href="https://en.wikipedia.org/wiki/Class_A_network" title="Class A network" target="_blank">class A

              network</a></td>

        </tr>

        <tr>

          <td>20-bit block</td>

          <td>172.16.0.0 - 172.31.255.255</td>

          <td>1,048,576</td>

          <td><a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a> (255.240.0.0)</td>

          <td>20 bits</td>

          <td>12 bits</td>

          <td>16 contiguous class B networks</td>

        </tr>

        <tr>

          <td>16-bit block</td>

          <td>192.168.0.0 - 192.168.255.255</td>

          <td>65,536</td>

          <td><a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a> (255.255.0.0)</td>

          <td>16 bits</td>

          <td>16 bits</td>

          <td>256 contiguous class C networks</td>

        </tr>

      </tbody>

    </table>

    <br>

    .... pretty sure that 172.31.1.x IP's fit nicely within that 20-bit

    block that encompasses everything from 172.16.0.0 to

    172.31.255.255...<br>

    <br>

    So where you've said 'non-RFC1918' you infact mean 'RFC1918', right?

    So you're having problems with AWS routing traffic for these RFC1918

    addresses to the Internet when that's not what you want?<br>

    <br>

    Mark.<div><div class="h5"><br>

    <br>

    <div>On 8/04/2014 2:07 p.m., Geordie Guy

      wrote:<br>

    </div>

    </div></div><blockquote type="cite"><div><div class="h5">

      <div dir="ltr">Hi Folks,

        <div><br>

        </div>

        <div>Working with a B2B partner who has exposed non-RFC1918

          addresses 172.31.1.2 and 172.31.1.3 through a VPN tunnel to

          our environment, and this works fine for hitting a web service

          down the tunnel from our local networks.  We have a

          development footprint in AWS that is shanking at this, because

          an overlying abstraction layer for how AWS S3 instances route

          means that if it sees a non-RFC1918 range it sends it out to

          the Internet regardless of any host or other level routes that

          are specified.  I can set route add <a href="http://172.31.1.0/24" target="_blank">172.31.1.0/24</a> via a gateway

          or for that matter the loopback until I go blue in the face

          and the server will merrily continue to try and find the IP on

          the Internet.</div>

        <div><br>

        </div>

        <div>What I need to do, other than not allow design decisions

          that involve non RFC-1918 addresses for private networks, is

          redirect a TCP port (443) from an IP that I *CAN* hit inside

          our network, to the 172.31.1.0 range down the tunnel, so that <span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif"><a href="http://1654287.r.msn.com" target="_blank">1654287.r.msn.com</a>

            stops scratching his head at the traffic trying to hit him

            from AWS.</span></div>

        <div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif"><br>

          </span></div>

        <div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif">What

            do I do to accomplish this?  Netcat?  And before anyone says

            NAT, there's already been enough bad decisions made here.</span></div>

        <div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif"><br>

          </span></div>

        <div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif">Regards,</span></div>

        <div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif"><br>

          </span></div>

        <div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif">Geordie</span></div>

      </div>

      <br>

      <fieldset></fieldset>

      <br>

      </div></div><pre>_______________________________________________

AusNOG mailing list

<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>

<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>

</pre>

    </blockquote>

    <br>

  </div>

</blockquote></div><br></div>

</div><div><span>_______________________________________________</span><br><span>AusNOG mailing list</span><br><span><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a></span><br><span><a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a></span><br>

</div></body></html>