Re: iptables problem getting url's hosted inside

To: Douglas Maxwell <doug@turinglabs.com>, hanasaki <hanasaki@hanaden.com>
Cc: Debian Firewall - LIST <debian-firewall@lists.debian.org>, charlie <charlesk@generalpants.com.au>
Subject: Re: iptables problem getting url's hosted inside
From: Mike Mestnik <cheako911@yahoo.com>
Date: Tue, 18 May 2004 16:53:00 -0700 (PDT)
Message-id: <[🔎] 20040518235300.50649.qmail@web11908.mail.yahoo.com>
In-reply-to: <[🔎] 20040518142357.GC32418@turinglabs.com>

This is vary ploblematic as Gorge points out.  It's just best to be
avoided as setting up a DNS server is so easy.  apt-get install resolvconf
dnsmasq; # Is best way togo.

--- Douglas Maxwell <doug@turinglabs.com> wrote:
> On Tue, May 18, 2004 at 07:00:15AM -0500, hanasaki wrote:
> > external internet - firewall - internal web server
> > 
> > internet traffic on port 80 is passed to the internal web server
> > external internet based browsers can hit the server
> > inernal based browsers cannot
> > 
> > What iptables runs are needed to let the internal browsers hit the 
> > internal server with the external IP
> 
> Could you post your NAT rules? iptables -L -t nat -nvx would do it.
> Also,
> a your iptables rules (maybe just the pertinent ones) with a snippet
> of iptables -L -nvx.
> 
> In general, problems like this are usually caused by one of three
> things:
> 
> 1) NAT is not being done properly
> 
> 2) Asymmetric routing is causing the translated packets from your
> internal net to go out some odd interface, and never return.
> 
> 3) The iptables ruleset is not configured to allow connections to your
> webserver with a source of your internal LAN (one related question -
> if you are doing SNAT for your internal network, this could also
> complicate things - you may have a rule that allows the internal net
> access to the webserver on port 80, but the packets are appearing on
> the firewall's external interface with the SNAT address you are using,
> causing the DROP/REJECT).
> 
> A tcpdump on your firewall's external interface will tell you if you
> are inadvertently NAT'ing traffic from the internal LAN to the
> webserver. If you are logging all DROPs, you can also tail your syslog
> to see the packet details of the dropped packets.
> 
> 
> Doug
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 



	
		
__________________________________
Do you Yahoo!?
SBC Yahoo! - Internet access at a great low price.
http://promo.yahoo.com/sbc/

Reply to:

References:
- Re: iptables problem getting url's hosted inside
  - From: Douglas Maxwell <doug@turinglabs.com>

Prev by Date: Re: iptables problem getting url's hosted inside
Next by Date: Re: iptables problem getting url's hosted inside
Previous by thread: Re: iptables problem getting url's hosted inside
Next by thread: Re: iptables problem getting url's hosted inside
Index(es):
- Date
- Thread