[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: iptables problem getting url's hosted inside

> Look at this again, it's clearly wrong.  "SNAT --to"?  Now
> your webserver sees all connections (say from my ip as
> from

When I stated "This works for me." I really meant it.  These rules are
on several production firewalls.  Obviously they are not the only rules

Perhaps there should have been a question as to why this would work for
me.  I do agree that the rule mentioned will not work alone.  I
"assumed" that since hanasaki stated that he had outside access taken
care of he already had the corresponding "PREROUTING" rules in place.  I
apologize for that error.  I can now see how my statement could be

While the dns solution would typically be better in a "standard"
environment I chose to use iptable rules for several reasons.  I have
several firewalls that I administer which protect multiple networks.  If
the firewall can handle the load why would I want the headaches of
managing multiple internal dns servers or hosts files when a simple rule
takes care of the needed internal "redirection"?  With that being
said.... I am always looking for better ways to administer and secure

> Even if you fix that by changing it to... (WARNING THIS EXAMPLE IS
> iptables -t nat -A POSTROUTING -p tcp -m multiport -d <External IP> -s
> --dports 21,80,443 -j DNAT --to

Moot point since I did not communicate all facts needed for intelligent

> There are still the CPU and bandwith issues also responces will be
> directly bypassing the Firewalls state tables.  If you use the SNAT
> are likely to run out of usable ports as each outgoing connection will
> a diffrent source port.

I typically use a modified MonMotha script and setup static source NATs
for all servers.  I would be interested in learning more about the
possibility of running out of usable ports.  Do you remember where you
saw this situation documented?

I haven't seen any cpu, memory, harddisk(if installed), or bandwidth
issues on my firewalls specifically.  How do you run load tests on your
firewalls?  I have made my syslog server sooooo busy that I had to add a
second nic to connect to it with ssh.

Thanks for your time Mike.  I always enjoy reading your responses.


Listserver:# /etc/init.d/lurkd start
Reloading modules
Processing config directory: /etc/lurkd
Processing config file: /etc/lurkd/lurking.conf
lurkd: started

Reply to: