RE: iptables problem getting url's hosted inside

To: "'Mike Mestnik'" <cheako911@yahoo.com>
Cc: <debian-firewall@lists.debian.org>
Subject: RE: iptables problem getting url's hosted inside
From: "tsean" <tperkins@wtama.net>
Date: Fri, 21 May 2004 18:26:37 -0500
Message-id: <[🔎] 018901c43f8b$10330680$f001a8c0@dreamaker>
In-reply-to: <[🔎] 20040520000216.74166.qmail@web11906.mail.yahoo.com>

> Look at this again, it's clearly wrong.  "SNAT --to 192.168.1.1"?  Now
> your webserver sees all connections (say from my ip 209.98.98.98) as
being
> from 192.168.1.1.


When I stated "This works for me." I really meant it.  These rules are
on several production firewalls.  Obviously they are not the only rules
;)

Perhaps there should have been a question as to why this would work for
me.  I do agree that the rule mentioned will not work alone.  I
"assumed" that since hanasaki stated that he had outside access taken
care of he already had the corresponding "PREROUTING" rules in place.  I
apologize for that error.  I can now see how my statement could be
misunderstood.

While the dns solution would typically be better in a "standard"
environment I chose to use iptable rules for several reasons.  I have
several firewalls that I administer which protect multiple networks.  If
the firewall can handle the load why would I want the headaches of
managing multiple internal dns servers or hosts files when a simple rule
takes care of the needed internal "redirection"?  With that being
said.... I am always looking for better ways to administer and secure
environments.


> Even if you fix that by changing it to... (WARNING THIS EXAMPLE IS
BROKE)
> iptables -t nat -A POSTROUTING -p tcp -m multiport -d <External IP> -s
\
>  192.168.1.0/24 --dports 21,80,443 -j DNAT --to 192.168.1.10


Moot point since I did not communicate all facts needed for intelligent
discussion.


> There are still the CPU and bandwith issues also responces will be
routed
> directly bypassing the Firewalls state tables.  If you use the SNAT
you
> are likely to run out of usable ports as each outgoing connection will
use
> a diffrent source port.

I typically use a modified MonMotha script and setup static source NATs
for all servers.  I would be interested in learning more about the
possibility of running out of usable ports.  Do you remember where you
saw this situation documented?

I haven't seen any cpu, memory, harddisk(if installed), or bandwidth
issues on my firewalls specifically.  How do you run load tests on your
firewalls?  I have made my syslog server sooooo busy that I had to add a
second nic to connect to it with ssh.

Thanks for your time Mike.  I always enjoy reading your responses.

tsean

Listserver:# /etc/init.d/lurkd start
Reloading modules
Processing config directory: /etc/lurkd
Processing config file: /etc/lurkd/lurking.conf
lurkd: started
.
Listserver:#

Reply to:

Follow-Ups:
- RE: iptables problem getting url's hosted inside
  - From: Mike Mestnik <cheako911@yahoo.com>

References:
- RE: iptables problem getting url's hosted inside
  - From: Mike Mestnik <cheako911@yahoo.com>

Prev by Date: Re: A few questions about scripting for Iptables.
Next by Date: RE: iptables problem getting url's hosted inside
Previous by thread: RE: iptables problem getting url's hosted inside
Next by thread: RE: iptables problem getting url's hosted inside
Index(es):
- Date
- Thread