Re: iptables problem getting url's hosted inside
This is vary ploblematic as Gorge points out. It's just best to be
avoided as setting up a DNS server is so easy. apt-get install resolvconf
dnsmasq; # Is best way togo.
--- Douglas Maxwell <email@example.com> wrote:
> On Tue, May 18, 2004 at 07:00:15AM -0500, hanasaki wrote:
> > external internet - firewall - internal web server
> > internet traffic on port 80 is passed to the internal web server
> > external internet based browsers can hit the server
> > inernal based browsers cannot
> > What iptables runs are needed to let the internal browsers hit the
> > internal server with the external IP
> Could you post your NAT rules? iptables -L -t nat -nvx would do it.
> a your iptables rules (maybe just the pertinent ones) with a snippet
> of iptables -L -nvx.
> In general, problems like this are usually caused by one of three
> 1) NAT is not being done properly
> 2) Asymmetric routing is causing the translated packets from your
> internal net to go out some odd interface, and never return.
> 3) The iptables ruleset is not configured to allow connections to your
> webserver with a source of your internal LAN (one related question -
> if you are doing SNAT for your internal network, this could also
> complicate things - you may have a rule that allows the internal net
> access to the webserver on port 80, but the packets are appearing on
> the firewall's external interface with the SNAT address you are using,
> causing the DROP/REJECT).
> A tcpdump on your firewall's external interface will tell you if you
> are inadvertently NAT'ing traffic from the internal LAN to the
> webserver. If you are logging all DROPs, you can also tail your syslog
> to see the packet details of the dropped packets.
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
Do you Yahoo!?
SBC Yahoo! - Internet access at a great low price.