nat interview questions
Top nat frequently asked interview questions
I have a network behind a NAT with a few machines.
The machines are:
- router - NAT, dnsmasq, forwarding - directly connected to the inet
- server - which runs ssh, www and some other stuff
- clients - which do stuff on server
I also have mydomain.com.
server.mydomain.com is pointing to my connection's IP (single IP), which is the router, which forwards ports to server.
Server, has a httpd running, which serves different sites based on vhosts.
So I have site1.server.mydomain.com, site2..
The problem is that all the traffic is going thru the router, and when I check logs I always see the router's IP for everything (so it's hard to see who is running the script with the while(1)).
I would just ServerAlias site1.server.local, but most of the sites have a root URL saved somewhere on top of which other URLs are built, so I can't do that.
The solution for me would be telling dnsmasq somehow to answer to *.mydomain.com with server's IP.
Is this possible somehow?
Source: (StackOverflow)
I don't fully understand the differences between NAT and a bridged connection over an virtual machine. As far as I've found, machines which are on the same network with our host machine can access our virtual machine if we make a bridged connection.
Well, on the internet, people write that both NAT and bridged virtual machines can have IP address like a host machine but if it is NAT, machines which are on the same network can NOT access our vm but if it is bridged, then they can.
If both NAT and bridged connections can have different IP addresses, then why can't I access a NAT'd address while I can access a bridged address?
Note: stating that NAT connections are protected is insufficient; I want to know how that is.
Source: (StackOverflow)
I have server (Debian Squeeze) with 1 ethernet card and 2 public static IPs (188.120.245.4 and 188.120.244.5).
What I want: Setup virtual box (Ubuntu) with access via static IP (188.120.244.5).
What I was trying:
- config.vm.forward_port - good idea: setup interface "eth1:1" with 188.120.244.5 on host-machine, and add to Vagrant file "config.vm.forward_port = hmm..?"
- config.vm.network :hostonly, "188.120.244.5" - not working. Was created new interface on host-machine with ip "188.120.244.1". Of course 188.120.244.1 IP isn't mine and I can't access my server via this IP.
- config.vm.network :bridged - I'm confused how this works :)
What I have now: Not working configuration.
Debian-host-machine# cat Vagrantfile
Vagrant::Config.run do |config|
config.vm.define :gitlab do |box_config|
box_config.vm.box = "ubuntu"
box_config.vm.host_name = "ubuntu"
box_config.vm.network :bridged
box_config.vm.network :hostonly, "188.120.244.5", :auto_config => false
end
end
Debian-host-machine# ifconfig
eth1 Link encap:Ethernet HWaddr 00:15:17:69:71:bb
inet addr:188.120.245.4 Bcast:188.120.247.255 Mask:255.255.248.0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
vboxnet0 Link encap:Ethernet HWaddr 0a:00:27:00:00:00
inet addr:188.120.244.1 Bcast:188.120.246.255 Mask:255.255.255.0
Ubuntu-virtual-machine# ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:ee:8d:0c
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
eth1 Link encap:Ethernet HWaddr 08:00:27:45:71:87
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
How I can access virtual box via public static IP from network?
I'm using Oracle VM VirtualBox Manager 4.1.18 and Vagrant version 1.0.3.
Thanks in advance for your feedback.
Source: (StackOverflow)
I have two internet connections from two different ISPs and I need to balance the traffic originating to and from my network between the two ISPs. I am using Debian GNU/Linux.
My set-up is like this -
eth0
(192.168.0.0/24) -- Local network
eth1
(192.168.1.0/24) -- ISP #1
eth2
(192.168.2.0/24) -- ISP #2
My local network is connected to this server via eth0 and the box is the DHCP server cum Gateway for all the machines in the LAN.
The server needs to do load-balancing between the two ISPs and also needs to do NAT-ing.
I have followed the routing instructions on lartc.org but I still need instructions to do the NAT-ing properly.
Any help will be appreciated.
PS - I know about pFsense but I need to use Linux.
Source: (StackOverflow)
I have an Ubuntu box I wish to use as NAT instance (among other things). I would prefer to avoid using the NAT AMIs provided by Amazon, and instead configuring NAT myself.
Currently, my host has a single network interface (as shown in http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html ).
Should I be able to configure my Ubuntu host as the NAT instance for the other hosts in my Amazon network?
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5 454 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
I tried configuring a NAT rule in the Ubuntu host (10.200.0.51). My second host is on a different network (10.200.10.41/24). So I wrote:
route add -net 10.200.0.0 netmask 255.255.255.0 dev eth0 # So I can reach 10.200.0.51
route add default gw 10.200.0.51
But the machine lost the connection.
What am I misunderstanding regading the usage of NAT instances and routing in Amazon?
Source: (StackOverflow)
Yesterday, I posted a question here but I think was not clear enough in my words. BTW, This question is not a duplicate.
I have AWS VPC Setup as below.
GOAL/PROBLEM: SSH to Server A from internet. And It is not working.
Server A is in private subnet and hence I want to enable iptables NATing on the my NAT instance so that I can ssh to SErver A directly from internet
I am following this and this
I ran below command on NAT instance:
NAT# iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination 10.0.1.243:22
IP forwarding is enableed on NAT instance:
NAT# sysctl -p
net.ipv4.ip_forward = 1
MASQUERADE is running on NAT instance:
NAT# iptables -t nat -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 6 packets, 312 bytes)
pkts bytes target prot opt in out source destination
199 16466 MASQUERADE all -- * eth0 10.0.0.0/16 0.0.0.0/0
AWS Security groups are configured fine to allow various access needed for this test case.
Troubleshooting:
I can telnet from NAT to Server A on port 22. So Access is good.
When I run telnet 54.213.116.251 2222
on my laptop, I see below entry in tcpdump on NAT:
NAT# tcpdump -n -i eth0 dst 10.0.1.243 and port 22
09:59:13.738316 IP xxx.xxx.xxx.xxx.51709 > 10.0.1.243.ssh: Flags [S], seq 1868541786, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
09:59:16.737009 IP xxx.xxx.xxx.xxx.51709 > 10.0.1.243.ssh: Flags [S], seq 1868541786, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
09:59:22.775567 IP xxx.xxx.xxx.xxx.51709 > 10.0.1.243.ssh: Flags [S], seq 1868541786, win 8192, options [mss 1460,nop,nop,sackOK], length 0
So it means the iptables is routing the packets to 10.0.1.243
. (BTW, xxx.xxx.xxx.xxx
is public ip address of my laptop)
But When I run tcpdump on Server A, I do not see anything coming from 10.0.0.54
which is the Internal/Private IP address of NAT (And I think this is the problem):
Server A# tcpdump -n src 10.0.0.54
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
But if I telnet from NAT instance to Server A, I see good stuff in tcpdump on Server A(This means, My overall PREROUTING
Rule is not working as expected):
Server A# tcpdump -n src 10.0.0.54
05:01:47.500080 IP 10.0.0.54.44627 > 10.0.1.243.ssh: Flags [S], seq 2862522431, win 14600, options [mss 1460,sackOK,TS val 3013083 ecr 0,nop,wscale 7], length 0
05:01:47.501601 IP 10.0.0.54.44627 > 10.0.1.243.ssh: Flags [.], ack 760676524, win 115, options [nop,nop,TS val 3013083 ecr 12074896], length 0
05:01:47.535720 IP 10.0.0.54.44627 > 10.0.1.243.ssh: Flags [.], ack 22, win 115, options [nop,nop,TS val 3013092 ecr 12074928], length 0
Conclusion:
From tcpdump output on NAT, It seems that Iptables is forwarding my packets fine.
from TCP dump on Server A, I have good connectivity from NAT to Server A.
But in End-to-end, I am not able to connect to the server A from my laptop.
(BTW, I know SSH tunnel and other good stuff. But I want only Iptables to help me with this.)
Source: (StackOverflow)
I'm having some issues with my port forwards. NAT seems to work ok and one out of the port forwards seem to work (udp port 7887 to machine 192.168.1.100). But not the others.
I doubt that it matters, but eth1 & eth2 are located on a dualport NIC.
WAN internet access is provided with dhcp, so a solution should be WAN_IP independent if possible.
/opt/firewall.sh
#!/bin/sh
WAN="eth1"
LAN="eth2"
#ifconfig $LAN up
#ifconfig $LAN 192.168.1.1 netmask 255.255.255.0
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A OUTPUT -o $WAN -j ACCEPT
iptables -A OUTPUT -o $LAN -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
# Allow ICMP echo reply/destination unreachable/time exceeded.
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
# SSH
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 22 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 22 -j ACCEPT
# WWW
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 80,443 -j DNAT --to 192.168.1.99
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.99 -m multiport --dports 80,443 -j ACCEPT
# TOR
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 9001,9030 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 9001,9030 -j ACCEPT
# I2P
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT
iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 1047K packets, 80M bytes)
pkts bytes target prot opt in out source destination
5 232 DNAT tcp -- eth1 any anywhere anywhere multiport dports ssh to:192.168.1.250
1 60 DNAT tcp -- eth1 any anywhere anywhere tcp dpt:www to:192.168.1.99:80
0 0 DNAT tcp -- eth1 any anywhere anywhere multiport dports 9001,9030 to:192.168.1.250
0 0 DNAT tcp -- eth1 any anywhere anywhere multiport dports 7887 to:192.168.1.100
12166 4042K DNAT udp -- eth1 any anywhere anywhere multiport dports 7887 to:192.168.1.100
0 0 DNAT tcp -- eth1 any anywhere anywhere multiport dports 8887 to:192.168.1.250
0 0 DNAT udp -- eth1 any anywhere anywhere multiport dports 8887 to:192.168.1.250
Chain POSTROUTING (policy ACCEPT 12313 packets, 4085K bytes)
pkts bytes target prot opt in out source destination
637K 46M MASQUERADE all -- any eth1 anywhere anywhere
Chain OUTPUT (policy ACCEPT 395 packets, 62752 bytes)
pkts bytes target prot opt in out source destination
iptables -L -v
Chain INPUT (policy DROP 9336 packets, 846K bytes)
pkts bytes target prot opt in out source destination
1 76 ACCEPT all -- lo any anywhere anywhere
467 55711 ACCEPT all -- eth2 any anywhere anywhere
64 5598 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
18 1796 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
60586 29M ACCEPT all -- any eth2 anywhere anywhere state RELATED,ESTABLISHED
70888 126M ACCEPT all -- eth2 eth1 anywhere anywhere
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.250 multiport dports ssh
0 0 ACCEPT tcp -- any any anywhere 192.168.1.99 tcp dpt:www state NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.250 multiport dports 9001,9030
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.100 multiport dports 7887
646 310K ACCEPT udp -- eth1 eth2 anywhere 192.168.1.100 multiport dports 7887
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.250 multiport dports 8887
0 0 ACCEPT udp -- eth1 eth2 anywhere 192.168.1.250 multiport dports 8887
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
157 13421 ACCEPT all -- any lo anywhere anywhere
76 9678 ACCEPT all -- any eth1 anywhere anywhere
159 26706 ACCEPT all -- any eth2 anywhere anywhere
Access testing:
me@external-host $ ssh WAN_IP
ssh: connect to host WAN_IP port 22: Connection timed out
me@external-host $ wget WAN_IP
--2012-05-06 15:46:50-- http://WAN_IP/
Connecting to |WAN_IP|:80... failed: Connection timed out.
Access testing logs:
May 8 21:04:18 router kernel: [11692.837693] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=35931 DF PROTO=TCP SPT=52319 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:19 router kernel: [11693.837174] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24784 DF PROTO=TCP SPT=52320 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:20 router kernel: [11694.835943] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=57280 DF PROTO=TCP SPT=52321 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:21 router kernel: [11695.835159] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=10721 DF PROTO=TCP SPT=52322 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:22 router kernel: [11696.833763] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=19002 DF PROTO=TCP SPT=52323 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:23 router kernel: [11697.832960] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=17468 DF PROTO=TCP SPT=52324 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:24 router kernel: [11698.831733] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=32834 DF PROTO=TCP SPT=52325 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:25 router kernel: [11699.830620] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=28252 DF PROTO=TCP SPT=52326 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:26 router kernel: [11700.829493] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=43537 DF PROTO=TCP SPT=52327 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:27 router kernel: [11701.829118] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=55720 DF PROTO=TCP SPT=52328 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
Source: (StackOverflow)
When my cellphone accesses a website via the tower and its GPRS gateway, NAT ensures that the sites receive a public IP. Would all phones using a single tower have the same IP?
- If yes, then how can the mass of received HTTP data routed to the correct cellphone? And how can websites differentiate between cellphone visitors? Is there additional HTTP header data?
- If no, then how are these unique IPs assigned? Based on availability or location? Would each tower have a fixed set of IPs?
Source: (StackOverflow)
I haven't worked with IPv6 outside of 4to6 tunneling on my home pc with stuff like GoGoNet. I've read about how it works in a general way. No NAT required (or suggested) and each client uses a public ipv6 address and I understand the continued use of firewalls. From my understanding, without the use of NAT, UAL and getting ARIN to give you own global range, that would mean the ipv6 address on all the systems on your lan would be from a range provided by your isp. What would happen in the case you change your ISP? Would that mean you have to change your whole lan address range?
In a typical ipv4 windows shop I might have a situation like such:
Site1 Lan IPs: 192.168.1.0/24
Site2 Lan IPs: 10.0.0.0/24
Site1 Public IP: 11.12.13.1/29 (11.12.13.1 - 11.12.13.5 usable)
Site2 Public IP: 20.30.40.1/29 (20.30.40.1 - 20.30.40.5 usable)
Site-to-site VPN via firewalls
Site1: Lan IP, Public IP:Port
Hardware firewall/router - 192.168.1.1, 11.12.13.1
Windows AD DC server (AD DNS server) - 192.168.1.10
Windows Exchange (email) - 192.168.1.11, 11.12.13.2:25+443
Windows RDS (term server) - 192.168.1.12, 11.12.13.3:3389
Workstations (via DHCP) - 192.168.1.100+
Site2:
Hardware firewall/router - 10.0.0.1, 20.30.40.1
Windows AD DC server (AD DNS server) - 10.0.0.10
Windows IIS (webserver) - 10.0.0.11, 20.30.40.2:80
Workstations (via DHCP) - 10.0.0.100+
The servers have statically assigned lan ips, the DNS servers has to and the others are also, since the firewall does port forwarding to servers via ip addresses you type in (vs hostnames).
Now if I wanted to setup this as a ipv6 only environment? Would everything still be the same with statically assigned servers and dhcpv6 to workstations?
But then if I switch to another isp would that mean I need to change the ip address for all the servers? What if I have 100 servers? I guess I can use dhcpv6 on the servers but I haven't seen a biz-class firewall that allowed port forwarding via hostname or internal dns (sonicwall, juniper, cisco, etc) just local ip (atleast for ipv4). And DNS server still need static ips eitherway.
Also wouldn't that mean that during transition of changing lan ipv6 ips, my servers might be sending lan traffic over the internet to my old block since it's no longer local lan? Atleast in a technical terms, I understand it's unlikely someone would use the old block that quickly and that it can be blocked on the firewall.
I sounds like it would be great for everyone to get their own perm assigned ipv6 block but I understand it would make the global routing table unusably large.
Update
Based on answers below, I updated the example location above and so this would be the ipv6 equivalent?
Site1 ULA: fd80::192:/64
Site2 ULA: fd80::10:/64
Site1 Public IP: 2000:1112:1301::/48
Site2 Public IP: 2000:2030:4001::/48
Site-to-site VPN via firewalls
Site1: Link-Local, ULA, Public
Hardware firewall/router - fe80::1, fd80::ABCD:1, 2000:1112:1301::1
Windows AD DC server (DNS) - fe80::10, fd80::ABCD:10, 2000:1112:1301::A
Windows Exchange (email) - fe80::11, fd80::ABCD:11, 2000:1112:1301::B
Windows RDS (term server) - fe80::12, fd80::ABCD:12, 2000:1112:1301::C
Workstations (via DHCP) - fe80::100+, fd80::ABCD:1xx, 2000:1112:1301::10+
Site2: Link-Local, ULA, Public
Hardware firewall/router - fe80::1, fd80::ABCD:2, 2000:2030:4001::1
Windows AD DC server (DNS) - fe80::10, fd80::ABCD:20, 2000:2030:4001::A
Windows IIS (webserver) - fe80::11, fd80::ABCD:21, 2000:2030:4001::B
Workstations (via DHCP) - fe80::100+, fd80::ABCD:2xx, 2000:2030:4001::10+
Each site own systems would would talk via Link-Local, Site-to-Site would talk with each other ULA (encypted by the VPN) and the world (including services) would talk via Public IPs?
Source: (StackOverflow)
This is a Canonical Question about NAT and DNS
I'm currently trying to set up a network with a DMZ containing a web server and an e-mail server separated from the Internet by a network address translating (NAT) firewall.
I have installed the NAT firewall with the following interfaces:
WAN - x.x.x.x (redacted public IP address)
DMZ - 192.168.124.5/24
LAN - 192.168.123.5/24
On my DMZ I have my two hosts:
Web server - 192.168.124.30
E-mail server - 192.168.124.32
I know that I will need to configure the DNS for the example.com
domain to resolve both example.com
and mail.example.com
to my public IP address.
I would like my NAT firewall to forward all incoming requests to example.com
to the web server at 192.168.124.30, and all incoming requests to mail.example.com
to the e-mail server at 192.168.124.32. I see a "port forwarding" feature in my NAT firewall's configuration but can't seem to achieve what I'm looking for.
Source: (StackOverflow)
The computer network of an organization has a NAT with 192.168/16 IP address range. There is a department with a server that has an IP address 192.168.x.y and this server handles hosts of this department with another NAT with the IP address range 172.16/16.
Thus there are 2 layers of NAT. Why don't they have subnetting instead. This would allow easy routing.
I feel multiple layers of NAT can cause performance losses. Could you please help me compare the two design strategies.
Update:
@Jon
Some more information
In discussion with a friend, we realized that subnetting would cause the following problem.
The ARP requests of a computer would flood the entire organization's network. If the router does not forward these requests then PC's in one department will not be able to connect to PC's in other departments which anyway cannot be done if they are behind different NATs. With a packet sniffer we saw that there is a large number of ARP requests as most computers in the department have File Sharing on Windows enabled.
How to solve this problem?
Also if two computers are behind different NATs then is there no way for them to connect to each other.
Source: (StackOverflow)
I am running Windows 7 within a virtual Machine from my Mac. I use Windows 7 for Visual Studio primarily and also to host a dev install of IIS. There are two things I need and I am not sure what networking mode is needed ...
- I need to be able to reach the IIS server (running on the VM) via HTTP from the Mac.
The web browsers on the virtual machine need to be able to access the internet.
Any suggestions? Thanks.
Source: (StackOverflow)
I have a Windows Server which has ~10 IP addresses statically bound. The problem is I don't know how to specify the default IP address.
Sometimes when I assign a new address to the NIC, the default IP address changes with the last IP entered in the advanced IP configuration on the NIC. This has the effect (since I use NAT) that the outgoing public IP changes too.
Even though this problem is currently on Windows Server 2008.
How can you set the default IP address on a NIC when it has multiple IP addresses bound?
There is more explication on my problem.
Here is the output of ipconfig
:
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.99.49(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.51(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.52(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.53(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.54(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.55(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.56(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.57(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.58(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.59(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.60(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.61(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.62(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.64(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.65(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.66(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.67(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.68(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.70(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.71(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.108(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.109(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.112(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 192.168.99.63(Duplicate)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.99.1
If I do a pathping
there is the answer, the first up is the 99.49, also if my default IP address is 99.100
Tracing route to www.l.google.com [72.14.204.99]
over a maximum of 30 hops:
0 Machine [192.168.99.49]
There is the routing table on the machine:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.99.1 192.168.99.49 261
10.10.10.0 255.255.255.0 On-link 10.10.10.10 261
10.10.10.10 255.255.255.255 On-link 10.10.10.10 261
10.10.10.255 255.255.255.255 On-link 10.10.10.10 261
192.168.99.0 255.255.255.0 On-link 192.168.99.49 261
192.168.99.49 255.255.255.255 On-link 192.168.99.49 261
192.168.99.51 255.255.255.255 On-link 192.168.99.49 261
192.168.99.52 255.255.255.255 On-link 192.168.99.49 261
192.168.99.53 255.255.255.255 On-link 192.168.99.49 261
192.168.99.54 255.255.255.255 On-link 192.168.99.49 261
192.168.99.55 255.255.255.255 On-link 192.168.99.49 261
192.168.99.56 255.255.255.255 On-link 192.168.99.49 261
192.168.99.57 255.255.255.255 On-link 192.168.99.49 261
192.168.99.58 255.255.255.255 On-link 192.168.99.49 261
192.168.99.59 255.255.255.255 On-link 192.168.99.49 261
192.168.99.60 255.255.255.255 On-link 192.168.99.49 261
192.168.99.61 255.255.255.255 On-link 192.168.99.49 261
192.168.99.62 255.255.255.255 On-link 192.168.99.49 261
192.168.99.64 255.255.255.255 On-link 192.168.99.49 261
192.168.99.65 255.255.255.255 On-link 192.168.99.49 261
192.168.99.66 255.255.255.255 On-link 192.168.99.49 261
192.168.99.67 255.255.255.255 On-link 192.168.99.49 261
192.168.99.68 255.255.255.255 On-link 192.168.99.49 261
192.168.99.70 255.255.255.255 On-link 192.168.99.49 261
192.168.99.71 255.255.255.255 On-link 192.168.99.49 261
192.168.99.100 255.255.255.255 On-link 192.168.99.49 261
192.168.99.108 255.255.255.255 On-link 192.168.99.49 261
192.168.99.109 255.255.255.255 On-link 192.168.99.49 261
192.168.99.112 255.255.255.255 On-link 192.168.99.49 261
192.168.99.255 255.255.255.255 On-link 192.168.99.49 261
224.0.0.0 240.0.0.0 On-link 192.168.99.49 261
224.0.0.0 240.0.0.0 On-link 10.10.10.10 261
255.255.255.255 255.255.255.255 On-link 192.168.99.49 261
255.255.255.255 255.255.255.255 On-link 10.10.10.10 261
I think my route should look like:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.99.1 **192.168.99.100** 261
10.10.10.0 255.255.255.0 On-link 10.10.10.10 261
10.10.10.10 255.255.255.255 On-link 10.10.10.10 261
10.10.10.255 255.255.255.255 On-link 10.10.10.10 261
192.168.99.0 255.255.255.0 On-link 192.168.99.100 261
192.168.99.49 255.255.255.255 On-link 192.168.99.100 261
192.168.99.51 255.255.255.255 On-link 192.168.99.100 261
192.168.99.52 255.255.255.255 On-link 192.168.99.100 261
192.168.99.53 255.255.255.255 On-link 192.168.99.100 261
192.168.99.54 255.255.255.255 On-link 192.168.99.100 261
192.168.99.55 255.255.255.255 On-link 192.168.99.100 261
192.168.99.56 255.255.255.255 On-link 192.168.99.100 261
192.168.99.57 255.255.255.255 On-link 192.168.99.100 261
192.168.99.58 255.255.255.255 On-link 192.168.99.100 261
192.168.99.59 255.255.255.255 On-link 192.168.99.100 261
192.168.99.60 255.255.255.255 On-link 192.168.99.100 261
192.168.99.61 255.255.255.255 On-link 192.168.99.100 261
192.168.99.62 255.255.255.255 On-link 192.168.99.100 261
192.168.99.64 255.255.255.255 On-link 192.168.99.100 261
192.168.99.65 255.255.255.255 On-link 192.168.99.100 261
192.168.99.66 255.255.255.255 On-link 192.168.99.100 261
192.168.99.67 255.255.255.255 On-link 192.168.99.100 261
192.168.99.68 255.255.255.255 On-link 192.168.99.100 261
192.168.99.70 255.255.255.255 On-link 192.168.99.100 261
192.168.99.71 255.255.255.255 On-link 192.168.99.100 261
192.168.99.100 255.255.255.255 On-link 192.168.99.100 261
192.168.99.108 255.255.255.255 On-link 192.168.99.100 261
192.168.99.109 255.255.255.255 On-link 192.168.99.100 261
192.168.99.112 255.255.255.255 On-link 192.168.99.100 261
192.168.99.255 255.255.255.255 On-link 192.168.99.100 261
224.0.0.0 240.0.0.0 On-link 192.168.99.100 261
224.0.0.0 240.0.0.0 On-link 10.10.10.10 261
255.255.255.255 255.255.255.255 On-link 192.168.99.100 261
255.255.255.255 255.255.255.255 On-link 10.10.10.10 261
How can I be sure the IP address used in the image (supposed to be the default IP address) will be use by my server as the default address?
Source: (StackOverflow)
How can I forward ports on a server running libvirt/KVM to specified ports on VM's, when using NAT?
For example, the host has a public IP of 1.2.3.4. I want to forward port 80 to 10.0.0.1 and port 22 to 10.0.0.2.
I assume I need to add iptables rules, but I'm not sure where is appropriate and what exactly should be specified.
Output of iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 10.0.0.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 10.0.0.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Output of ifconfig
eth0 Link encap:Ethernet HWaddr 00:1b:fc:46:73:b9
inet addr:192.168.1.14 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::21b:fcff:fe46:73b9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:201 errors:0 dropped:0 overruns:0 frame:0
TX packets:85 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:31161 (31.1 KB) TX bytes:12090 (12.0 KB)
Interrupt:17
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
virbr1 Link encap:Ethernet HWaddr ca:70:d1:77:b2:48
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::c870:d1ff:fe77:b248/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:468 (468.0 B)
I'm using Ubuntu 10.04.
Source: (StackOverflow)
Inside-to-inside NAT aka NAT loopback solves hairpin NAT issues when accessing a web server on the external interface of an ASA or similar device from computers on the internal interface. This prevents DNS admins from having to maintain a duplicate internal DNS zone that has the corresponding RFC1918 addresses for their servers that are NATted to public addresses. I'm not a network engineer, so I might be missing something, but this seems like a no-brainer to configure and implement. Asymmetric routing can be an issue but is easily mitigated.
In my experience, network admins/engineers prefer that systems folks just run split-dns rather than configuring their firewalls to properly handle NAT hairpins. Why is this?
Source: (StackOverflow)