[AusNOG] Redirecting a TCP port both directions
Alex Samad - Yieldbroker
Alex.Samad at yieldbroker.com
Tue Apr 8 14:16:55 EST 2014
If it's a linux box, why not just DNAT it ..
A
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Geordie Guy
Sent: Tuesday, 8 April 2014 1:30 PM
To: Greg Anderson
Cc: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Redirecting a TCP port both directions
It could be. For now I've got netcat running as a proxy which buys me the time to step through the AWS config and find out if there's a step that doesn't know about the range and is causing the overarching problem. Thanks guys.
On Tue, Apr 8, 2014 at 12:42 PM, Greg Anderson <ganderson at raywhite.com<mailto:ganderson at raywhite.com>> wrote:
Geordie,
Is it possible that you have missed a rule on:
- The local firewall
- The security group the instance is defined in (bi-directional in VPC)
- A NACL
- Configured route on the VPC to actually send the traffic through your VPC's VPN
- Configured your local VPN endpoint to accept the traffic
- Configured any other firewalls along the way
There are a lot of layers to the onion that you will need to drill through, and I am more likely to side with AWS not doing the wrong thing here, otherwise you would not be the first to hit this problem...
On 8 April 2014 12:21, Geordie Guy <elomis at gmail.com<mailto:elomis at gmail.com>> wrote:
I've got a fault raised at the same time as I'm asking the NOG community for a workaround.
On Tue, Apr 8, 2014 at 12:18 PM, Mark Foster <blakjak at blakjak.net<mailto:blakjak at blakjak.net>> wrote:
Did you raise a fault with AWS? If they've 'misdefined' RFC1918 perhaps they simply need to ... fix it?
On 8/04/2014 2:16 p.m., Geordie Guy wrote:
Yeah OK let me clarify, you didn't miss something, I did.
172.31.1.2 may be inside RFC1918, but I don't think the AWS systems have a copy of the RFC as text and use it, there's another set of rules it uses (that may be a subset of RFC1918 - maybe 10.0.0.0/8<http://10.0.0.0/8>) that are the only ones it'll allow for local routing and down tunnels to on-premise environments. I think *glaring angrlly at the console*, actually it'll only allow 172.16.0.0/16<http://172.16.0.0/16> down tunnels or locally and sends 172.31.0.0/16<http://172.31.0.0/16> to the Internet.
Either way, I need to redirect a socket.
On Tue, Apr 8, 2014 at 12:11 PM, Mark Foster <blakjak at blakjak.net<mailto:blakjak at blakjak.net>> wrote:
Did I miss something?
Private IPv4 address spaces
The Internet Engineering Task Force<https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force> (IETF) has directed the Internet Assigned Numbers Authority<https://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authority> (IANA) to reserve the following IPv4 address ranges for private networks, as published in RFC 1918<https://tools.ietf.org/html/rfc1918>:[1]<https://en.wikipedia.org/wiki/Private_network#cite_note-1>
RFC1918 name
IP address range
number of addresses
largest CIDR<https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing> block (subnet mask)
host id size
mask bits
classful<https://en.wikipedia.org/wiki/Classful_network> description[Note 1]<https://en.wikipedia.org/wiki/Private_network#cite_note-3>
24-bit block
10.0.0.0 - 10.255.255.255
16,777,216
10.0.0.0/8<http://10.0.0.0/8> (255.0.0.0)
24 bits
8 bits
single class A network<https://en.wikipedia.org/wiki/Class_A_network>
20-bit block
172.16.0.0 - 172.31.255.255
1,048,576
172.16.0.0/12<http://172.16.0.0/12> (255.240.0.0)
20 bits
12 bits
16 contiguous class B networks
16-bit block
192.168.0.0 - 192.168.255.255
65,536
192.168.0.0/16<http://192.168.0.0/16> (255.255.0.0)
16 bits
16 bits
256 contiguous class C networks
.... pretty sure that 172.31.1.x IP's fit nicely within that 20-bit block that encompasses everything from 172.16.0.0 to 172.31.255.255...
So where you've said 'non-RFC1918' you infact mean 'RFC1918', right? So you're having problems with AWS routing traffic for these RFC1918 addresses to the Internet when that's not what you want?
Mark.
On 8/04/2014 2:07 p.m., Geordie Guy wrote:
Hi Folks,
Working with a B2B partner who has exposed non-RFC1918 addresses 172.31.1.2 and 172.31.1.3 through a VPN tunnel to our environment, and this works fine for hitting a web service down the tunnel from our local networks. We have a development footprint in AWS that is shanking at this, because an overlying abstraction layer for how AWS S3 instances route means that if it sees a non-RFC1918 range it sends it out to the Internet regardless of any host or other level routes that are specified. I can set route add 172.31.1.0/24<http://172.31.1.0/24> via a gateway or for that matter the loopback until I go blue in the face and the server will merrily continue to try and find the IP on the Internet.
What I need to do, other than not allow design decisions that involve non RFC-1918 addresses for private networks, is redirect a TCP port (443) from an IP that I *CAN* hit inside our network, to the 172.31.1.0 range down the tunnel, so that 1654287.r.msn.com<http://1654287.r.msn.com> stops scratching his head at the traffic trying to hit him from AWS.
What do I do to accomplish this? Netcat? And before anyone says NAT, there's already been enough bad decisions made here.
Regards,
Geordie
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
--
[https://lh5.googleusercontent.com/-aWq61wdav6s/UM_3TdCcU9I/AAAAAAAAAEE/JxSBQrF1JzI/w600-h148-p-k/ganderson_footer_small.png]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140408/d9bb9792/attachment.html>
More information about the AusNOG
mailing list