EzDevInfo.com

nat interview questions

Top nat frequently asked interview questions

How to configure a static wildcard subdomain with dnsmasq

I have a network behind a NAT with a few machines.

The machines are:

  • router - NAT, dnsmasq, forwarding - directly connected to the inet
  • server - which runs ssh, www and some other stuff
  • clients - which do stuff on server

I also have mydomain.com.
server.mydomain.com is pointing to my connection's IP (single IP), which is the router, which forwards ports to server.

Server, has a httpd running, which serves different sites based on vhosts.
So I have site1.server.mydomain.com, site2..

The problem is that all the traffic is going thru the router, and when I check logs I always see the router's IP for everything (so it's hard to see who is running the script with the while(1)).

I would just ServerAlias site1.server.local, but most of the sites have a root URL saved somewhere on top of which other URLs are built, so I can't do that.

The solution for me would be telling dnsmasq somehow to answer to *.mydomain.com with server's IP.

Is this possible somehow?


Source: (StackOverflow)

Differences between bridged and NAT networking

I don't fully understand the differences between NAT and a bridged connection over an virtual machine. As far as I've found, machines which are on the same network with our host machine can access our virtual machine if we make a bridged connection.

Well, on the internet, people write that both NAT and bridged virtual machines can have IP address like a host machine but if it is NAT, machines which are on the same network can NOT access our vm but if it is bridged, then they can.

If both NAT and bridged connections can have different IP addresses, then why can't I access a NAT'd address while I can access a bridged address?

Note: stating that NAT connections are protected is insufficient; I want to know how that is.


Source: (StackOverflow)

Advertisements

Public static ip for vagrant box

I have server (Debian Squeeze) with 1 ethernet card and 2 public static IPs (188.120.245.4 and 188.120.244.5).

What I want: Setup virtual box (Ubuntu) with access via static IP (188.120.244.5).

What I was trying:

  • config.vm.forward_port - good idea: setup interface "eth1:1" with 188.120.244.5 on host-machine, and add to Vagrant file "config.vm.forward_port = hmm..?"
  • config.vm.network :hostonly, "188.120.244.5" - not working. Was created new interface on host-machine with ip "188.120.244.1". Of course 188.120.244.1 IP isn't mine and I can't access my server via this IP.
  • config.vm.network :bridged - I'm confused how this works :)

What I have now: Not working configuration.

Debian-host-machine# cat Vagrantfile
Vagrant::Config.run do |config|
  config.vm.define :gitlab do |box_config|
    box_config.vm.box = "ubuntu"
    box_config.vm.host_name = "ubuntu"
    box_config.vm.network :bridged
    box_config.vm.network :hostonly, "188.120.244.5", :auto_config => false
  end
end

Debian-host-machine# ifconfig
eth1      Link encap:Ethernet  HWaddr 00:15:17:69:71:bb  
          inet addr:188.120.245.4  Bcast:188.120.247.255  Mask:255.255.248.0

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0

vboxnet0  Link encap:Ethernet  HWaddr 0a:00:27:00:00:00  
          inet addr:188.120.244.1  Bcast:188.120.246.255  Mask:255.255.255.0

Ubuntu-virtual-machine# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:ee:8d:0c  
          inet addr:10.0.2.15  Bcast:10.0.2.255  Mask:255.255.255.0

eth1      Link encap:Ethernet  HWaddr 08:00:27:45:71:87  

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0

How I can access virtual box via public static IP from network?

I'm using Oracle VM VirtualBox Manager 4.1.18 and Vagrant version 1.0.3.

Thanks in advance for your feedback.


Source: (StackOverflow)

Load balancing & NAT-ing multiple ISP connections on Linux

I have two internet connections from two different ISPs and I need to balance the traffic originating to and from my network between the two ISPs. I am using Debian GNU/Linux.

My set-up is like this -

eth0 (192.168.0.0/24) -- Local network

eth1 (192.168.1.0/24) -- ISP #1

eth2 (192.168.2.0/24) -- ISP #2

My local network is connected to this server via eth0 and the box is the DHCP server cum Gateway for all the machines in the LAN.

The server needs to do load-balancing between the two ISPs and also needs to do NAT-ing.

I have followed the routing instructions on lartc.org but I still need instructions to do the NAT-ing properly.

Any help will be appreciated.

PS - I know about pFsense but I need to use Linux.


Source: (StackOverflow)

How to configure a custom NAT for use in Amazon VPC

I have an Ubuntu box I wish to use as NAT instance (among other things). I would prefer to avoid using the NAT AMIs provided by Amazon, and instead configuring NAT myself.

Currently, my host has a single network interface (as shown in http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html ).

Should I be able to configure my Ubuntu host as the NAT instance for the other hosts in my Amazon network?

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       5      454 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0  

I tried configuring a NAT rule in the Ubuntu host (10.200.0.51). My second host is on a different network (10.200.10.41/24). So I wrote:

route add -net 10.200.0.0 netmask 255.255.255.0 dev eth0 # So I can reach 10.200.0.51
route add default gw 10.200.0.51

But the machine lost the connection.

What am I misunderstanding regading the usage of NAT instances and routing in Amazon?


Source: (StackOverflow)

AWS VPC + IPtables + NAT: Port Forwarding is not working

Yesterday, I posted a question here but I think was not clear enough in my words. BTW, This question is not a duplicate.

I have AWS VPC Setup as below.

enter image description here

GOAL/PROBLEM: SSH to Server A from internet. And It is not working.

Server A is in private subnet and hence I want to enable iptables NATing on the my NAT instance so that I can ssh to SErver A directly from internet

I am following this and this

I ran below command on NAT instance:

NAT# iptables -t nat -A PREROUTING  -p tcp --dport 2222 -j DNAT --to-destination 10.0.1.243:22

IP forwarding is enableed on NAT instance:

NAT# sysctl  -p
net.ipv4.ip_forward = 1

MASQUERADE is running on NAT instance:

NAT# iptables -t nat -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 6 packets, 312 bytes)
 pkts bytes target     prot opt in     out     source               destination
  199 16466 MASQUERADE  all  --  *      eth0    10.0.0.0/16          0.0.0.0/0

AWS Security groups are configured fine to allow various access needed for this test case.

Troubleshooting:

I can telnet from NAT to Server A on port 22. So Access is good.

When I run telnet 54.213.116.251 2222 on my laptop, I see below entry in tcpdump on NAT:

NAT# tcpdump -n -i eth0 dst 10.0.1.243 and port 22
09:59:13.738316 IP xxx.xxx.xxx.xxx.51709 > 10.0.1.243.ssh: Flags [S], seq 1868541786, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
09:59:16.737009 IP xxx.xxx.xxx.xxx.51709 > 10.0.1.243.ssh: Flags [S], seq 1868541786, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
09:59:22.775567 IP xxx.xxx.xxx.xxx.51709 > 10.0.1.243.ssh: Flags [S], seq 1868541786, win 8192, options [mss 1460,nop,nop,sackOK], length 0

So it means the iptables is routing the packets to 10.0.1.243. (BTW, xxx.xxx.xxx.xxx is public ip address of my laptop)

But When I run tcpdump on Server A, I do not see anything coming from 10.0.0.54 which is the Internal/Private IP address of NAT (And I think this is the problem):

Server A# tcpdump  -n src 10.0.0.54
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 

But if I telnet from NAT instance to Server A, I see good stuff in tcpdump on Server A(This means, My overall PREROUTING Rule is not working as expected):

Server A# tcpdump  -n src 10.0.0.54
05:01:47.500080 IP 10.0.0.54.44627 > 10.0.1.243.ssh: Flags [S], seq 2862522431, win 14600, options [mss 1460,sackOK,TS val 3013083 ecr 0,nop,wscale 7], length 0
05:01:47.501601 IP 10.0.0.54.44627 > 10.0.1.243.ssh: Flags [.], ack 760676524, win 115, options [nop,nop,TS val 3013083 ecr 12074896], length 0
05:01:47.535720 IP 10.0.0.54.44627 > 10.0.1.243.ssh: Flags [.], ack 22, win 115, options [nop,nop,TS val 3013092 ecr 12074928], length 0

Conclusion:

From tcpdump output on NAT, It seems that Iptables is forwarding my packets fine.

from TCP dump on Server A, I have good connectivity from NAT to Server A.

But in End-to-end, I am not able to connect to the server A from my laptop.

(BTW, I know SSH tunnel and other good stuff. But I want only Iptables to help me with this.)


Source: (StackOverflow)

iptables: Port forwarding with masquerading is not working

I'm having some issues with my port forwards. NAT seems to work ok and one out of the port forwards seem to work (udp port 7887 to machine 192.168.1.100). But not the others.

I doubt that it matters, but eth1 & eth2 are located on a dualport NIC.

WAN internet access is provided with dhcp, so a solution should be WAN_IP independent if possible.

/opt/firewall.sh

#!/bin/sh

WAN="eth1"
LAN="eth2"

#ifconfig $LAN up
#ifconfig $LAN 192.168.1.1 netmask 255.255.255.0


echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i $LAN -j ACCEPT
iptables -A OUTPUT -o $WAN -j ACCEPT
iptables -A OUTPUT -o $LAN -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Allow ICMP echo reply/destination unreachable/time exceeded.
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

# SSH
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 22 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 22 -j ACCEPT

# WWW
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 80,443 -j DNAT --to 192.168.1.99
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.99 -m multiport --dports 80,443 -j ACCEPT

# TOR
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 9001,9030 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 9001,9030 -j ACCEPT

# I2P
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT

iptables -t nat -L -v

Chain PREROUTING (policy ACCEPT 1047K packets, 80M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    5   232 DNAT       tcp  --  eth1   any     anywhere             anywhere            multiport dports ssh to:192.168.1.250 
    1    60 DNAT       tcp  --  eth1   any     anywhere             anywhere            tcp dpt:www to:192.168.1.99:80 
    0     0 DNAT       tcp  --  eth1   any     anywhere             anywhere            multiport dports 9001,9030 to:192.168.1.250 
    0     0 DNAT       tcp  --  eth1   any     anywhere             anywhere            multiport dports 7887 to:192.168.1.100 
12166 4042K DNAT       udp  --  eth1   any     anywhere             anywhere            multiport dports 7887 to:192.168.1.100 
    0     0 DNAT       tcp  --  eth1   any     anywhere             anywhere            multiport dports 8887 to:192.168.1.250 
    0     0 DNAT       udp  --  eth1   any     anywhere             anywhere            multiport dports 8887 to:192.168.1.250 

Chain POSTROUTING (policy ACCEPT 12313 packets, 4085K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 637K   46M MASQUERADE  all  --  any    eth1    anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 395 packets, 62752 bytes)
 pkts bytes target     prot opt in     out     source               destination  

iptables -L -v

Chain INPUT (policy DROP 9336 packets, 846K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    76 ACCEPT     all  --  lo     any     anywhere             anywhere            
  467 55711 ACCEPT     all  --  eth2   any     anywhere             anywhere            
   64  5598 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-reply 
   18  1796 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp destination-unreachable 
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp time-exceeded 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
60586   29M ACCEPT     all  --  any    eth2    anywhere             anywhere            state RELATED,ESTABLISHED 
70888  126M ACCEPT     all  --  eth2   eth1    anywhere             anywhere            
    0     0 ACCEPT     tcp  --  eth1   eth2    anywhere             192.168.1.250       multiport dports ssh 
    0     0 ACCEPT     tcp  --  any    any     anywhere             192.168.1.99        tcp dpt:www state NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  eth1   eth2    anywhere             192.168.1.250       multiport dports 9001,9030 
    0     0 ACCEPT     tcp  --  eth1   eth2    anywhere             192.168.1.100       multiport dports 7887 
  646  310K ACCEPT     udp  --  eth1   eth2    anywhere             192.168.1.100       multiport dports 7887 
    0     0 ACCEPT     tcp  --  eth1   eth2    anywhere             192.168.1.250       multiport dports 8887 
    0     0 ACCEPT     udp  --  eth1   eth2    anywhere             192.168.1.250       multiport dports 8887 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  157 13421 ACCEPT     all  --  any    lo      anywhere             anywhere            
   76  9678 ACCEPT     all  --  any    eth1    anywhere             anywhere            
  159 26706 ACCEPT     all  --  any    eth2    anywhere             anywhere  

Access testing:

 me@external-host $ ssh WAN_IP        
 ssh: connect to host WAN_IP port 22: Connection timed out

 me@external-host $ wget WAN_IP                
 --2012-05-06 15:46:50--  http://WAN_IP/
 Connecting to |WAN_IP|:80... failed: Connection timed out.

Access testing logs:

 May  8 21:04:18 router kernel: [11692.837693] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=35931 DF PROTO=TCP SPT=52319 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:19 router kernel: [11693.837174] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24784 DF PROTO=TCP SPT=52320 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:20 router kernel: [11694.835943] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=57280 DF PROTO=TCP SPT=52321 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:21 router kernel: [11695.835159] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=10721 DF PROTO=TCP SPT=52322 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:22 router kernel: [11696.833763] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=19002 DF PROTO=TCP SPT=52323 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:23 router kernel: [11697.832960] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=17468 DF PROTO=TCP SPT=52324 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:24 router kernel: [11698.831733] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=32834 DF PROTO=TCP SPT=52325 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:25 router kernel: [11699.830620] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=28252 DF PROTO=TCP SPT=52326 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:26 router kernel: [11700.829493] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=43537 DF PROTO=TCP SPT=52327 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:27 router kernel: [11701.829118] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=55720 DF PROTO=TCP SPT=52328 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 

Source: (StackOverflow)

How are cellphone IP addresses assigned?

When my cellphone accesses a website via the tower and its GPRS gateway, NAT ensures that the sites receive a public IP. Would all phones using a single tower have the same IP?

  • If yes, then how can the mass of received HTTP data routed to the correct cellphone? And how can websites differentiate between cellphone visitors? Is there additional HTTP header data?
  • If no, then how are these unique IPs assigned? Based on availability or location? Would each tower have a fixed set of IPs?

Source: (StackOverflow)

IPv6 without nat but what about an isp change?

I haven't worked with IPv6 outside of 4to6 tunneling on my home pc with stuff like GoGoNet. I've read about how it works in a general way. No NAT required (or suggested) and each client uses a public ipv6 address and I understand the continued use of firewalls. From my understanding, without the use of NAT, UAL and getting ARIN to give you own global range, that would mean the ipv6 address on all the systems on your lan would be from a range provided by your isp. What would happen in the case you change your ISP? Would that mean you have to change your whole lan address range?

In a typical ipv4 windows shop I might have a situation like such:

Site1 Lan IPs: 192.168.1.0/24
Site2 Lan IPs: 10.0.0.0/24
Site1 Public IP: 11.12.13.1/29 (11.12.13.1 - 11.12.13.5 usable)
Site2 Public IP: 20.30.40.1/29 (20.30.40.1 - 20.30.40.5 usable)
Site-to-site VPN via firewalls

Site1:                                 Lan IP,         Public IP:Port
Hardware firewall/router             - 192.168.1.1,    11.12.13.1
Windows AD DC server (AD DNS server) - 192.168.1.10
Windows Exchange (email)             - 192.168.1.11,   11.12.13.2:25+443
Windows RDS (term server)            - 192.168.1.12,   11.12.13.3:3389
Workstations (via DHCP)              - 192.168.1.100+

Site2:
Hardware firewall/router             - 10.0.0.1,       20.30.40.1
Windows AD DC server (AD DNS server) - 10.0.0.10
Windows IIS (webserver)              - 10.0.0.11,      20.30.40.2:80
Workstations (via DHCP)              - 10.0.0.100+

The servers have statically assigned lan ips, the DNS servers has to and the others are also, since the firewall does port forwarding to servers via ip addresses you type in (vs hostnames).

Now if I wanted to setup this as a ipv6 only environment? Would everything still be the same with statically assigned servers and dhcpv6 to workstations?

But then if I switch to another isp would that mean I need to change the ip address for all the servers? What if I have 100 servers? I guess I can use dhcpv6 on the servers but I haven't seen a biz-class firewall that allowed port forwarding via hostname or internal dns (sonicwall, juniper, cisco, etc) just local ip (atleast for ipv4). And DNS server still need static ips eitherway.

Also wouldn't that mean that during transition of changing lan ipv6 ips, my servers might be sending lan traffic over the internet to my old block since it's no longer local lan? Atleast in a technical terms, I understand it's unlikely someone would use the old block that quickly and that it can be blocked on the firewall.

I sounds like it would be great for everyone to get their own perm assigned ipv6 block but I understand it would make the global routing table unusably large.

Update Based on answers below, I updated the example location above and so this would be the ipv6 equivalent?

Site1 ULA: fd80::192:/64
Site2 ULA: fd80::10:/64
Site1 Public IP: 2000:1112:1301::/48
Site2 Public IP: 2000:2030:4001::/48
Site-to-site VPN via firewalls

Site1:                       Link-Local, ULA,            Public
Hardware firewall/router   - fe80::1,    fd80::ABCD:1,   2000:1112:1301::1
Windows AD DC server (DNS) - fe80::10,   fd80::ABCD:10,  2000:1112:1301::A
Windows Exchange (email)   - fe80::11,   fd80::ABCD:11,  2000:1112:1301::B
Windows RDS (term server)  - fe80::12,   fd80::ABCD:12,  2000:1112:1301::C
Workstations (via DHCP)    - fe80::100+, fd80::ABCD:1xx, 2000:1112:1301::10+

Site2:                       Link-Local, ULA,            Public
Hardware firewall/router   - fe80::1,    fd80::ABCD:2,    2000:2030:4001::1
Windows AD DC server (DNS) - fe80::10,   fd80::ABCD:20,   2000:2030:4001::A
Windows IIS (webserver)    - fe80::11,   fd80::ABCD:21,   2000:2030:4001::B
Workstations (via DHCP)    - fe80::100+, fd80::ABCD:2xx,  2000:2030:4001::10+

Each site own systems would would talk via Link-Local, Site-to-Site would talk with each other ULA (encypted by the VPN) and the world (including services) would talk via Public IPs?


Source: (StackOverflow)

Exposing multiple servers behind NAT using a single public IP address

This is a Canonical Question about NAT and DNS

I'm currently trying to set up a network with a DMZ containing a web server and an e-mail server separated from the Internet by a network address translating (NAT) firewall.

I have installed the NAT firewall with the following interfaces:

WAN - x.x.x.x (redacted public IP address)
DMZ - 192.168.124.5/24
LAN - 192.168.123.5/24

On my DMZ I have my two hosts:

Web server - 192.168.124.30
E-mail server - 192.168.124.32

I know that I will need to configure the DNS for the example.com domain to resolve both example.com and mail.example.com to my public IP address.

I would like my NAT firewall to forward all incoming requests to example.com to the web server at 192.168.124.30, and all incoming requests to mail.example.com to the e-mail server at 192.168.124.32. I see a "port forwarding" feature in my NAT firewall's configuration but can't seem to achieve what I'm looking for.


Source: (StackOverflow)

Why is it a bad idea to use multiple NAT layers or is it?

The computer network of an organization has a NAT with 192.168/16 IP address range. There is a department with a server that has an IP address 192.168.x.y and this server handles hosts of this department with another NAT with the IP address range 172.16/16.

Thus there are 2 layers of NAT. Why don't they have subnetting instead. This would allow easy routing.

I feel multiple layers of NAT can cause performance losses. Could you please help me compare the two design strategies.

Update:

@Jon Some more information

In discussion with a friend, we realized that subnetting would cause the following problem. The ARP requests of a computer would flood the entire organization's network. If the router does not forward these requests then PC's in one department will not be able to connect to PC's in other departments which anyway cannot be done if they are behind different NATs. With a packet sniffer we saw that there is a large number of ARP requests as most computers in the department have File Sharing on Windows enabled.

How to solve this problem?

Also if two computers are behind different NATs then is there no way for them to connect to each other.


Source: (StackOverflow)

VMWare networking mode (NAT or Bridged)?

I am running Windows 7 within a virtual Machine from my Mac. I use Windows 7 for Visual Studio primarily and also to host a dev install of IIS. There are two things I need and I am not sure what networking mode is needed ...

  1. I need to be able to reach the IIS server (running on the VM) via HTTP from the Mac.
  2. The web browsers on the virtual machine need to be able to access the internet.

    Any suggestions? Thanks.


Source: (StackOverflow)

Windows Server 2008: specifying the default IP address when NIC has multiple addresses

I have a Windows Server which has ~10 IP addresses statically bound. The problem is I don't know how to specify the default IP address.

Sometimes when I assign a new address to the NIC, the default IP address changes with the last IP entered in the advanced IP configuration on the NIC. This has the effect (since I use NAT) that the outgoing public IP changes too.

Even though this problem is currently on Windows Server 2008.

How can you set the default IP address on a NIC when it has multiple IP addresses bound?

There is more explication on my problem.

alt text

Here is the output of ipconfig:

DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.99.49(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.51(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.52(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.53(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.54(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.55(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.56(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.57(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.58(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.59(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.60(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.61(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.62(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.64(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.65(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.66(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.67(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.68(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.70(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.71(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.108(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.109(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.112(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.63(Duplicate)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.99.1

If I do a pathping there is the answer, the first up is the 99.49, also if my default IP address is 99.100

Tracing route to www.l.google.com [72.14.204.99]
over a maximum of 30 hops:
  0  Machine [192.168.99.49]

There is the routing table on the machine:

 Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0     192.168.99.1    192.168.99.49    261
           10.10.10.0    255.255.255.0         On-link       10.10.10.10    261
          10.10.10.10  255.255.255.255         On-link       10.10.10.10    261
         10.10.10.255  255.255.255.255         On-link       10.10.10.10    261
         192.168.99.0    255.255.255.0         On-link     192.168.99.49    261
        192.168.99.49  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.51  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.52  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.53  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.54  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.55  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.56  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.57  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.58  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.59  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.60  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.61  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.62  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.64  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.65  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.66  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.67  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.68  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.70  255.255.255.255         On-link     192.168.99.49    261
        192.168.99.71  255.255.255.255         On-link     192.168.99.49    261
       192.168.99.100  255.255.255.255         On-link     192.168.99.49    261
       192.168.99.108  255.255.255.255         On-link     192.168.99.49    261
       192.168.99.109  255.255.255.255         On-link     192.168.99.49    261
       192.168.99.112  255.255.255.255         On-link     192.168.99.49    261
       192.168.99.255  255.255.255.255         On-link     192.168.99.49    261
            224.0.0.0        240.0.0.0         On-link     192.168.99.49    261
            224.0.0.0        240.0.0.0         On-link       10.10.10.10    261
      255.255.255.255  255.255.255.255         On-link     192.168.99.49    261
      255.255.255.255  255.255.255.255         On-link       10.10.10.10    261

I think my route should look like:

Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0     192.168.99.1    **192.168.99.100**    261
           10.10.10.0    255.255.255.0         On-link       10.10.10.10    261
          10.10.10.10  255.255.255.255         On-link       10.10.10.10    261
         10.10.10.255  255.255.255.255         On-link       10.10.10.10    261
         192.168.99.0    255.255.255.0         On-link     192.168.99.100    261
        192.168.99.49  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.51  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.52  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.53  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.54  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.55  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.56  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.57  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.58  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.59  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.60  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.61  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.62  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.64  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.65  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.66  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.67  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.68  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.70  255.255.255.255         On-link     192.168.99.100    261
        192.168.99.71  255.255.255.255         On-link     192.168.99.100    261
       192.168.99.100  255.255.255.255         On-link     192.168.99.100    261
       192.168.99.108  255.255.255.255         On-link     192.168.99.100    261
       192.168.99.109  255.255.255.255         On-link     192.168.99.100    261
       192.168.99.112  255.255.255.255         On-link     192.168.99.100    261
       192.168.99.255  255.255.255.255         On-link     192.168.99.100    261
            224.0.0.0        240.0.0.0         On-link     192.168.99.100    261
            224.0.0.0        240.0.0.0         On-link       10.10.10.10    261
      255.255.255.255  255.255.255.255         On-link     192.168.99.100    261
      255.255.255.255  255.255.255.255         On-link       10.10.10.10    261

How can I be sure the IP address used in the image (supposed to be the default IP address) will be use by my server as the default address?


Source: (StackOverflow)

Forwarding ports to guests in libvirt / KVM

How can I forward ports on a server running libvirt/KVM to specified ports on VM's, when using NAT?

For example, the host has a public IP of 1.2.3.4. I want to forward port 80 to 10.0.0.1 and port 22 to 10.0.0.2.

I assume I need to add iptables rules, but I'm not sure where is appropriate and what exactly should be specified.

Output of iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.0.0.0/24         state RELATED,ESTABLISHED 
ACCEPT     all  --  10.0.0.0/24          anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Output of ifconfig

eth0      Link encap:Ethernet  HWaddr 00:1b:fc:46:73:b9  
          inet addr:192.168.1.14  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:fcff:fe46:73b9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:201 errors:0 dropped:0 overruns:0 frame:0
          TX packets:85 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:31161 (31.1 KB)  TX bytes:12090 (12.0 KB)
          Interrupt:17 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

virbr1    Link encap:Ethernet  HWaddr ca:70:d1:77:b2:48  
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::c870:d1ff:fe77:b248/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:468 (468.0 B)

I'm using Ubuntu 10.04.


Source: (StackOverflow)

Why don't more organizations use inside-to-inside NAT or similar solutions to allow NAT hairpins?

Inside-to-inside NAT aka NAT loopback solves hairpin NAT issues when accessing a web server on the external interface of an ASA or similar device from computers on the internal interface. This prevents DNS admins from having to maintain a duplicate internal DNS zone that has the corresponding RFC1918 addresses for their servers that are NATted to public addresses. I'm not a network engineer, so I might be missing something, but this seems like a no-brainer to configure and implement. Asymmetric routing can be an issue but is easily mitigated.

In my experience, network admins/engineers prefer that systems folks just run split-dns rather than configuring their firewalls to properly handle NAT hairpins. Why is this?


Source: (StackOverflow)