Mailing List Archive

Communication between internal hosts, using external addresses
Hi folks,

This is one of those problems where the best solution may
just be "don't do that", but here's my question for what it's
worth:

I have two hosts, "A" and "B", which are both on a private
internal network behind a firewall, and have the addresses
"A.internal" and "B.internal" there. One of the hosts ("B")
is available to the outside world as "B.external", which is
forwarded through the firewall. Both "A" and "B" are masqueraded
through the firewall to the outside world.

Sometimes "A" needs to talk to "B". Obviously, the best
way to do this would be for "A" to, e.g., "ssh B.internal".
This is awkward, though, since from other hosts, outside the
firewall, the command would be "ssh B.external", so it would
be convenient if this address worked internally, too.

Unfortunately, it doesn't. Watching with wireshark, it
appears that the hosts fail to set up a TCP session because of
confusion about addresses. Traffic arriving at "B" appears to
come from "A.internal", so "B" answers directly to this, causing
the reply arriving at "A" to appear to be from "B.internal", which
isn't what "A" was looking for.

I realize I could just fudge the issue by fiddling with
DNS entries or /etc/hosts files, but maintaining that becomes
a hassle.

Can anyone suggest how to make this work transparently?
Do I need to change the masquerading setup so that both internal
and external interfaces are masqueraded? That sounds like it's
asking for trouble.

Thanks in advance,
Bryan
--
========================================================================
Bryan Wright |"If you take cranberries and stew them like
Physics Department | applesauce, they taste much more like prunes
University of Virginia | than rhubarb does." -- Groucho
Charlottesville, VA 22901|
(434) 924-7218 | bryan@virginia.edu
========================================================================
Re: Communication between internal hosts, using external addresses [ In reply to ]
>>>>> "BW" == Bryan Wright <bryan@virginia.edu> writes:

BW> Unfortunately, it doesn't. Watching with wireshark, it
BW> appears that the hosts fail to set up a TCP session because of
BW> confusion about addresses. Traffic arriving at "B" appears to come
BW> from "A.internal", so "B" answers directly to this, causing the
BW> reply arriving at "A" to appear to be from "B.internal", which
BW> isn't what "A" was looking for.

I believe the solution is referred to as "hairpinning". Basically, you
add iptables -t nat -A POSTROUTING -i $LAN -o $LAN -j SNAT ... (or
MASQUERADE).

All the traffic then goes to the firewall and back, even for internal
traffic. It's a waste of firewall capacity and network bandwidth, of
course.


/Benny