RE: iptables problem getting url's hosted inside
Look at this again, it's clearly wrong. "SNAT --to 192.168.1.1"? Now
your webserver sees all connections (say from my ip 209.98.98.98) as being
from 192.168.1.1.
Even if you fix that by changing it to... (WARNING THIS EXAMPLE IS BROKE)
iptables -t nat -A POSTROUTING -p tcp -m multiport -d <External IP> -s \
192.168.1.0/24 --dports 21,80,443 -j DNAT --to 192.168.1.10
There are still the CPU and bandwith issues also responces will be routed
directly bypassing the Firewalls state tables. If you use the SNAT you
are likely to run out of usable ports as each outgoing connection will use
a diffrent source port.
--- tsean <tperkins@wtama.net> wrote:
> This works for me.
>
> Variables....
> Firewall internal ip : 192.168.1.1
> Webserver internal ip : 192.168.1.10
> Internal class c subnet 192.168.1.0/24
> Ports to connect to : tcp 21,80,443
>
> RULE:
> iptables -t nat -A POSTROUTING -p tcp -m multiport -d 192.168.1.10 -s
> 192.168.1.0/24 --dports 21,80,443 -j SNAT --to 192.168.1.1
>
> tsean
>
> -----Original Message-----
> From: charlie [mailto:charlesk@generalpants.com.au]
> Sent: Tuesday, May 18, 2004 5:59 PM
> To: hanasaki
> Cc: Debian Firewall - LIST
> Subject: Re: iptables problem getting url's hosted inside
>
>
> Do you have in internal DNS server? If you do, you can avoid the ugly
> NAT approach and simply assign the domain name the internal IP.
>
> external clients get external ip, internal clients get internal ip.
>
>
>
> On Tue, 2004-05-18 at 22:00, hanasaki wrote:
> > external internet - firewall - internal web server
> >
> > internet traffic on port 80 is passed to the internal web server
> > external internet based browsers can hit the server
> > inernal based browsers cannot
> >
> > What iptables runs are needed to let the internal browsers hit the
> > internal server with the external IP
> >
> > now external users can hit the server with www.domain.com
> > internal users get connection refused
> >
> > internal and external users get the same IP from "host www.domain.com"
> >
> > thanks
> >
> > charlie wrote:
> > > some more details?
> > > -network stucture
> > > -iptables rules
> > >
> > >
> > >
> > > On Tue, 2004-05-18 at 14:02, hanasaki wrote:
> > >
> > >>I have a box hosted inside the firewall. The firewall is passing
> > >>external traffic to it fine. When an internal box tries to hit the
> > >>external ip, that should loop back inside, connections fail.
> External
> > >>sites can be loaded fine.
> > >>
> > >>What can cause this and how can it be resolved?
> > >>
> > >>thanks
> > >>
> > >>
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> >
> >
> --
> ============================
> Charles Kidson
> Systems Administrator
> General Pants Group
> charlesk@generalpants.com.au
> ph 02 9290 0813
> fx 02 9299 6485
> mb 0428 61 7766
> ============================
>
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
__________________________________
Do you Yahoo!?
Yahoo! Domains ? Claim yours for only $14.70/year
http://smallbusiness.promotions.yahoo.com/offer
Reply to: