<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:18.0pt;
font-family:"Times New Roman","serif";
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Cambria","serif";
color:#4F81BD;
mso-fareast-language:EN-AU;
font-weight:bold;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-fareast-language:EN-AU;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If it’s a linux box, why not just DNAT it ..<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">A<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> AusNOG [mailto:ausnog-bounces@lists.ausnog.net]
<b>On Behalf Of </b>Geordie Guy<br>
<b>Sent:</b> Tuesday, 8 April 2014 1:30 PM<br>
<b>To:</b> Greg Anderson<br>
<b>Cc:</b> ausnog@lists.ausnog.net<br>
<b>Subject:</b> Re: [AusNOG] Redirecting a TCP port both directions<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">It could be. For now I've got netcat running as a proxy which buys me the time to step through the AWS config and find out if there's a step that doesn't know about the range and is causing the overarching problem. Thanks guys.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Tue, Apr 8, 2014 at 12:42 PM, Greg Anderson <<a href="mailto:ganderson@raywhite.com" target="_blank">ganderson@raywhite.com</a>> wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal">Geordie,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Is it possible that you have missed a rule on:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">- The local firewall<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- The security group the instance is defined in (bi-directional in VPC)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- A NACL<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- Configured route on the VPC to actually send the traffic through your VPC's VPN<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- Configured your local VPN endpoint to accept the traffic<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- Configured any other firewalls along the way<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">There are a lot of layers to the onion that you will need to drill through, and I am more likely to side with AWS not doing the wrong thing here, otherwise you would not be the first to hit this problem...<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On 8 April 2014 12:21, Geordie Guy <<a href="mailto:elomis@gmail.com" target="_blank">elomis@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<div>
<div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<p class="MsoNormal">I've got a fault raised at the same time as I'm asking the NOG community for a workaround.<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Tue, Apr 8, 2014 at 12:18 PM, Mark Foster <<a href="mailto:blakjak@blakjak.net" target="_blank">blakjak@blakjak.net</a>> wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal">Did you raise a fault with AWS? If they've 'misdefined' RFC1918 perhaps they simply need to ... fix it?<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On 8/04/2014 2:16 p.m., Geordie Guy wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Yeah OK let me clarify, you didn't miss something, I did. <o:p>
</o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">172.31.1.2 may be inside RFC1918, but I don't think the AWS systems have a copy of the RFC as text and use it, there's another set of rules it uses (that may be a subset of RFC1918 - maybe
<a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a>) that are the only ones it'll allow for local routing and down tunnels to on-premise environments. I think *glaring angrlly at the console*, actually it'll only allow
<a href="http://172.16.0.0/16" target="_blank">172.16.0.0/16</a> down tunnels or locally and sends
<a href="http://172.31.0.0/16" target="_blank">172.31.0.0/16</a> to the Internet.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Either way, I need to redirect a socket.<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Tue, Apr 8, 2014 at 12:11 PM, Mark Foster <<a href="mailto:blakjak@blakjak.net" target="_blank">blakjak@blakjak.net</a>> wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Did I miss something?<o:p></o:p></p>
<h2>Private IPv4 address spaces<o:p></o:p></h2>
<p>The <a href="https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force" target="_blank" title="Internet Engineering Task Force">
Internet Engineering Task Force</a> (IETF) has directed the <a href="https://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authority" target="_blank" title="Internet Assigned Numbers Authority">
Internet Assigned Numbers Authority</a> (IANA) to reserve the following IPv4 address ranges for private networks, as published in
<a href="https://tools.ietf.org/html/rfc1918" target="_blank">RFC 1918</a>:<sup><a href="https://en.wikipedia.org/wiki/Private_network#cite_note-1" target="_blank">[1]</a></sup><o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal" align="center" style="text-align:center"><b>RFC1918 name<o:p></o:p></b></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal" align="center" style="text-align:center"><b>IP address range<o:p></o:p></b></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal" align="center" style="text-align:center"><b>number of addresses<o:p></o:p></b></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal" align="center" style="text-align:center"><b>largest <a href="https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing" target="_blank" title="Classless Inter-Domain Routing">
CIDR</a> block (subnet mask)<o:p></o:p></b></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal" align="center" style="text-align:center"><b>host id size<o:p></o:p></b></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal" align="center" style="text-align:center"><b>mask bits<o:p></o:p></b></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal" align="center" style="text-align:center"><b><i><a href="https://en.wikipedia.org/wiki/Classful_network" target="_blank" title="Classful network">classful</a></i> description<sup><a href="https://en.wikipedia.org/wiki/Private_network#cite_note-3" target="_blank">[Note
1]</a></sup><o:p></o:p></b></p>
</td>
</tr>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">24-bit block<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">10.0.0.0 - 10.255.255.255<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">16,777,216<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a> (255.0.0.0)<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">24 bits<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">8 bits<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">single <a href="https://en.wikipedia.org/wiki/Class_A_network" target="_blank" title="Class A network">
class A network</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">20-bit block<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">172.16.0.0 - 172.31.255.255<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">1,048,576<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a> (255.240.0.0)<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">20 bits<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">12 bits<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">16 contiguous class B networks<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">16-bit block<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">192.168.0.0 - 192.168.255.255<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">65,536<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a> (255.255.0.0)<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">16 bits<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">16 bits<o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal">256 contiguous class C networks<o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><br>
.... pretty sure that 172.31.1.x IP's fit nicely within that 20-bit block that encompasses everything from 172.16.0.0 to 172.31.255.255...<br>
<br>
So where you've said 'non-RFC1918' you infact mean 'RFC1918', right? So you're having problems with AWS routing traffic for these RFC1918 addresses to the Internet when that's not what you want?<br>
<br>
Mark. <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 8/04/2014 2:07 p.m., Geordie Guy wrote:<o:p></o:p></p>
</div>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal">Hi Folks, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Working with a B2B partner who has exposed non-RFC1918 addresses 172.31.1.2 and 172.31.1.3 through a VPN tunnel to our environment, and this works fine for hitting a web service down the tunnel from our local networks. We have a development
footprint in AWS that is shanking at this, because an overlying abstraction layer for how AWS S3 instances route means that if it sees a non-RFC1918 range it sends it out to the Internet regardless of any host or other level routes that are specified. I can
set route add <a href="http://172.31.1.0/24" target="_blank">172.31.1.0/24</a> via a gateway or for that matter the loopback until I go blue in the face and the server will merrily continue to try and find the IP on the Internet.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">What I need to do, other than not allow design decisions that involve non RFC-1918 addresses for private networks, is redirect a TCP port (443) from an IP that I *CAN* hit inside our network, to the 172.31.1.0 range down the tunnel, so
that <span style="font-size:9.0pt;font-family:"Arial","sans-serif""><a href="http://1654287.r.msn.com" target="_blank">1654287.r.msn.com</a> stops scratching his head at the traffic trying to hit him from AWS.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial","sans-serif"">What do I do to accomplish this? Netcat? And before anyone says NAT, there's already been enough bad decisions made here.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial","sans-serif"">Regards,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial","sans-serif"">Geordie</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
</div>
</div>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>AusNOG mailing list<o:p></o:p></pre>
<pre><a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><o:p></o:p></pre>
<pre><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</div>
<p class="MsoNormal"><span style="color:#888888"><br>
<br clear="all">
<span class="hoenzb"><o:p></o:p></span></span></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><span class="hoenzb"><span style="color:#888888">-- </span></span><span style="color:#888888"><br>
<img border="0" id="_x0000_i1025" src="https://lh5.googleusercontent.com/-aWq61wdav6s/UM_3TdCcU9I/AAAAAAAAAEE/JxSBQrF1JzI/w600-h148-p-k/ganderson_footer_small.png"></span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>