Why can't I go out & back in?

I'm fairly new to linux routing, but I've had several years with
Cisco's/Watchguards and the like. Something that has always puzzled me, but
I've never been able to get my arms around, is this.

Consider this setup.

I have 1 router with 2 "live" IP's on the internet. X.X.X.124 and X.X.X.125.

This router is running NAT for both IP's and have 2 separate servers behind
it running as email servers. So, when I go to mail.AAA.com, DNS points me
to the .124 address and in to the correct server. And, likewise, when I go
to mail.BBB.com, I get the .125 server.

Ok, why (under normal setups) can't ServerA send information to ServerB via
the EXTERNAL ip address (.125)? Anytime I try to "go out and come back in",
it doesn't work.

Why is that? If I put a second router in place and host ServerB behind it
(and the .125 address), then it works great.

Just wondering if any of you guru's had a thought (and I'm sure you do ;) )

thanks

jf

Jeff Franks wrote:

> I'm fairly new to linux routing, but I've had several years with
> Cisco's/Watchguards and the like. Something that has always puzzled me,
> but I've never been able to get my arms around, is this.
>
> Consider this setup.
>
> I have 1 router with 2 "live" IP's on the internet. X.X.X.124 and
> X.X.X.125.
>
> This router is running NAT for both IP's and have 2 separate servers
> behind
> it running as email servers. So, when I go to mail.AAA.com, DNS points me
> to the .124 address and in to the correct server. And, likewise, when I
> go to mail.BBB.com, I get the .125 server.
>
> Ok, why (under normal setups) can't ServerA send information to ServerB
> via
> the EXTERNAL ip address (.125)? Anytime I try to "go out and come back
> in", it doesn't work.
>
> Why is that? If I put a second router in place and host ServerB behind it
> (and the .125 address), then it works great.
>
> Just wondering if any of you guru's had a thought (and I'm sure you do ;)
> )
>
> thanks
>
> jf

What is the subnet that both the servers are on? That is kind`a funky setup
you got there? I take it you need two "live IPs" because of the reverse
natting to two servers, yes?

Have you done any packet sniffing?

> This router is running NAT for both IP's and have 2 separate servers
> behind
> it running as email servers. So, when I go to mail.AAA.com, DNS points me
> to the .124 address and in to the correct server. And, likewise, when I
> go
> to mail.BBB.com, I get the .125 server.
>
> Ok, why (under normal setups) can't ServerA send information to ServerB
> via
> the EXTERNAL ip address (.125)? Anytime I try to "go out and come back
> in",
> it doesn't work.

The short answer is because you can't have one packet do a dnat and a snat.

Let's walk through what happens.

IIRC the packet from internalA hits the DNAT prerouting table first, and you
have an instruction that says "DNAT to internalB" and this short-circuits
the packet by changing the destination IP of the packet and immediately
sends it out the interface responsible for routing to that destination IP.
The short circuit doesn't allow the packet to hit the SNAT postrouting
table. So now you have a packet that is from internalA going to internalB.

B happilly responds directly back to A (without going through the router)
but A wasn't expecting a packet from internalB to internalA it's expecting a
packet from externalB to internalA so A ignores these packets from B.

> Why is that? If I put a second router in place and host ServerB behind it
> (and the .125 address), then it works great.

When you split it across two routers the two translations are split as well.
The first router does the SNAT and sends it out to the second router who
then applies the DNAT and routes it internal to B. In this case B doesn't
think he's communicating directly with internalA, he thinks he's
communicating with externalA. And likewise A thinks he's communicating with
externalB. Everybody is happy.

Try running a caching dns server that has all your internal dns names mapped
to their real internal IPs. Set internal boxes to use this dns server.
This way all your internal systems will connect directly internally, and any
dns request that the dns server doesn't have a zone file for it will query
your ISPs dns servers.

*OR* you can run two routers (what a pain, one router per public IP).

*OR* you can obtain enough external IPs to assign all your systems external
IPs.

"/dev/null" <dev.null@BeginThread.com> writes:

> The short answer is because you can't have one packet do a dnat and a snat.

I do not think that is true. I have successfully setup DNAT and SNAT
for the same packet and it works fine.

System A has 2 ethernet interfaces, eth0 is connected to the internet
on a.b,c.d, eth1 is connected to the local intranet and has address
10.e.f.g.

Certain systems connect via a (closed user group) GPRS router on the
intranet, and because it is a closed user group the remote IP must be
in the appropriate 10.x.x.x range. Some of these needed to access a
service provided by another system (B) which is on the internet (on
h.i.j.k)

In order to achieve this I used iptables rules of the form

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport aaa -s 10.x.y.z -j DNAT --to-destination h.i.j.k
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport aaa -d h.i.j.k -j SNAT --to-source a.b.c.d

When system B receives the packets, the source IP is shown as system
A's and packets sent back are correctly NATed by system A and arrive
at the originating GPRS system.