What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

This is driving me nuts, anyone got any idea's or IP tables tricks to get my internal server accessi

L

lukeglazebrook

Occasional Visitor
I knocked up the following firewall-start script and it works sort of ... (think this is the equivalent of IP aliasing in my old Draytek) the intention is to get one of my internal servers externally facing on the interweb thingy

#!/bin/sh
touch /tmp/firewall-start
sleep 10
iptables -t nat -A POSTROUTING -s 192.168.0.145 -j SNAT --to-source 95.172.233.122
iptables -t nat -A PREROUTING -d 95.172.233.122 -j DNAT --to-destination 192.168.0.145

The trouble is as soon as it hit my vCenter server a certificate seems to redirect me to the internally named address

https://MyServer.MyDomain.com/websso/SAML2/SSOSSL?RelyingPartyEntityI=ld-aHR0...... blah blah

Consequently I get a dead page :( Presumably the "MyServer" part is chucking a spanner in the works?

Are there any fancy scripted work arounds? If I rebuilt the server but gave its NIC the internal IP above (95.172.233.122) would that have a chance of working? The certificate would regenerate, but it may still put a server name prefix at the start.

Any idea's or workarounds anyone has would be greatly appreciated...
 
Doubt if it affects the certificate - but you could try "-I" rather than "-A" to make sure nothing else get to the packets in the filtering chains first.

Do you need something in FORWARD chain for the "One to One nat" to work?
 
Last edited:
What's the difference exactly mate? I'm new to Linux and fairly eager to learn. I'm pretty sure what the above rule has effectively done is put 192.168.0.145 effectively in a DMZ because I have established that all ports are open. I suppose this is more a problem as the server side rather than the firewall :(

Is there a way I can bypass all NAT for one IP only? I have six usable static IP's with my service provider
 
Check the resulting netfilter rules from a command line using

iptables -nvL -t nat
iptables -nvL

Packets traverse the rules in order and are accepted/dropped by first matching rule seen, order very important for efficiency/throughput, you can see number/size of matches from the counters.

I am sure you can do whatever you want in Linux if you know the magic incantations, I have seen no-nat setups where the router is given one of the IP addresses and servers have real IP addresses using the router as their Gateway (but each server then needs their own firewall), can also use one external IP for nat traffic to dynamic clients. I do not know how well Asuswrt-merlin works in 'router' mode, many features such as port forwarding/upnp/dhcp etc tend to assume the Asus router is the 'internet nat gateway', and you may end up doing a lot manually, as also needed in other firmwares such as dd-wrt, for example

http://www.dd-wrt.com/wiki/index.php/One-to-one_NAT
 
You must log in or register to reply here.
Similar threads
Thread starter Title Forum Replies Date
QuikSilver Anyone else have Spectrum with this issue? Asuswrt-Merlin 5
RMerlin Looking for feedback: Anyone considering AiCloud important to them? Asuswrt-Merlin 258
M WireGuard starts failing, anyone else with 3004.388.8_2? Asuswrt-Merlin 19
D Has Anyone managed to compile r8152.ko driver for the RT-AX86U Pro, help really appreciated Asuswrt-Merlin 9
M DNS pointing to a Kazakstan server: anyone seen this? Asuswrt-Merlin 32

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 562 (members: 21, guests: 541)
Back
Top