On Thu, Jun 10, 2010 at 10:51 AM, Arun Khan <knura9@xxxxxxxxx> wrote:
I have a MPLS VPN setup connecting 3 locations, with one of the
locations being the GW to the Internet (for all three locations).
The GW has one public static IP with iptables FireWall (FW).
SNAT handles outgoing connections to the Internet for all three
locations (different private IP nets)
There are services within the VPN LAN at two locations that need to be
made accessible to a set of "select" IPs connecting from the Internet
e.g. ERP, DVR surveillance, IP camera.
I have set up DNAT rules for each "opened" service as shown below.
NB: EXTIF and EXTIP are defined at the begining of the iptables shell
script and default FORWARD rule is DROP
# DNAT to give access to DVR machine @ 172.16.0.131:80
iptables -t nat -A PREROUTING -p tcp -i $EXTIF -s <ext_IP_1> -d $EXTIP
--dport 8282 -j DNAT --to-destination ?172.16.0.131:80
iptables -t nat -A PREROUTING -p tcp -i $EXTIF -s <ext_IP_2> -d $EXTIP
--dport 8282 -j DNAT --to-destination 172.16.0.131:80
iptables -t nat -A PREROUTING -p tcp -i $EXTIF -s <ext_IP_3> -d $EXTIP
--dport 8282 -j DNAT --to-destination 172.16.0.131:80
iptables -A FORWARD -p tcp -i $EXTIF -o $INTIF2 -d 172.16.0.131
--dport 80 -j ACCEPT
The above strategy is working for services that are on Linux (Apache)
without pop up windows but not on services with pop up.
The error conditions are different for each service.
For the specific example of the DVR box, ?When I type:
http://<EXTIP>:8282/ in my browser (the IP number is one of the
ext_IP_? in above rule) I get:
<error code>
400 Bad Request
Your client has issued a malformed or illegal request.
</error code>
Instead of the pop up box that one gets when connecting to the same
unit from workstations on the VPN LAN.
Any hints/suggestions to debug and determine the location of the
problem welcome.
