RE: iptables problem getting url's hosted inside
> Look at this again, it's clearly wrong. "SNAT --to 192.168.1.1"? Now
> your webserver sees all connections (say from my ip 209.98.98.98) as
being
> from 192.168.1.1.
When I stated "This works for me." I really meant it. These rules are
on several production firewalls. Obviously they are not the only rules
;)
Perhaps there should have been a question as to why this would work for
me. I do agree that the rule mentioned will not work alone. I
"assumed" that since hanasaki stated that he had outside access taken
care of he already had the corresponding "PREROUTING" rules in place. I
apologize for that error. I can now see how my statement could be
misunderstood.
While the dns solution would typically be better in a "standard"
environment I chose to use iptable rules for several reasons. I have
several firewalls that I administer which protect multiple networks. If
the firewall can handle the load why would I want the headaches of
managing multiple internal dns servers or hosts files when a simple rule
takes care of the needed internal "redirection"? With that being
said.... I am always looking for better ways to administer and secure
environments.
> Even if you fix that by changing it to... (WARNING THIS EXAMPLE IS
BROKE)
> iptables -t nat -A POSTROUTING -p tcp -m multiport -d <External IP> -s
\
> 192.168.1.0/24 --dports 21,80,443 -j DNAT --to 192.168.1.10
Moot point since I did not communicate all facts needed for intelligent
discussion.
> There are still the CPU and bandwith issues also responces will be
routed
> directly bypassing the Firewalls state tables. If you use the SNAT
you
> are likely to run out of usable ports as each outgoing connection will
use
> a diffrent source port.
I typically use a modified MonMotha script and setup static source NATs
for all servers. I would be interested in learning more about the
possibility of running out of usable ports. Do you remember where you
saw this situation documented?
I haven't seen any cpu, memory, harddisk(if installed), or bandwidth
issues on my firewalls specifically. How do you run load tests on your
firewalls? I have made my syslog server sooooo busy that I had to add a
second nic to connect to it with ssh.
Thanks for your time Mike. I always enjoy reading your responses.
tsean
Listserver:# /etc/init.d/lurkd start
Reloading modules
Processing config directory: /etc/lurkd
Processing config file: /etc/lurkd/lurking.conf
lurkd: started
.
Listserver:#
Reply to: