Date: Wed, 29 Aug 2001 00:47:09 -0500 From: David Kelly <dkelly@hiwaay.net> To: Nick Rogness <nick@rogness.net> Cc: Joel Rosenberg <thisisjoel@hotmail.com>, freebsd-questions@FreeBSD.ORG Subject: Re: Forwarding packets from the internal network Message-ID: <200108290547.f7T5l9w74186@grumpy.dyndns.org> In-Reply-To: Message from Nick Rogness <nick@rogness.net> of "Tue, 28 Aug 2001 23:11:33 CDT." <Pine.BSF.4.21.0108282257040.67736-100000@cody.jharris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nick Rogness writes: > On Tue, 28 Aug 2001, David Kelly wrote: > > > I'm confused by the description above as to whether or not > > 192.168.1.21 is trying to connect outside on port 80 and that one > > replies back to 80 or what? > > I believe what he is saying is that 192.168.1.21 is responding to > port 80 requests with a src_port of 80 and not 81 which would not > work. So if I understand correctly: > > 1) natd gets packet from outside world: > > SOURCE DESTINATION > remote_IP:16675 --> your_nat_outside_IP:81 > > 2) natd changes packet to: > > SOURCE DESTINATION > remote_IP:16675 --> 192.168.1.21:80 > > 3) Packet gets sent to 192.168.1.21 port 80 > > 4) 192.168.1.21 responds sending packet back to natd > machine. > > 5) natd changes packet to: > > SOURCE DESTINATION > your_nat_outside_IP:80 --> remote_IP:16675 > > 6) packet gets sent out into the world. > > > Step #5 you want it to be: > > your_nat_outside_IP:81 --> remote_IP:16675 > > Is this the problem you were describing? Excellent description. But your #5 above should be taken care of by the port redirection in natd as the remote site sees the connection as between remote_IP:16675 and your_nat_outside_IP:81, a return packet from port your_nat_outside_IP:80 to remote_IP:16675 would be discarded as there isn't a matching connection. As I understand natd, it has to track these connections so the redirect's replies will work. It can't figure it out on each and every packet. As I understand the same-port option, natd will _try_ to use private_inside:16675 in its connection to 192.168.1.21:81 but there is no guarantee this port (16675) is available. As for the incoming port 80 and 81, those port numbers are already decided by the remote client before natd has a shot at them. Externally natd has to respond from the port the incoming connection arrived at. Without enough information I'm guessing the port 80 and 81 stuff are web servers. And similar to ftp, http is exchanging port numbers in the data portion of the connection causing the client to try port 80 on the external address because the port 81 web server thinks its on port 80. An internal webserver behind NAT also has to be careful not to rewrite URL's with its internal IP address. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108290547.f7T5l9w74186>