RE: question squid + firewall + http server inside firewall
> -----Original Message-----
> From: Hanasaki JiJi [mailto:email@example.com]
> Sent: Thursday, 5 June 2003 2:42 PM
> To: List - Debian Security
> Subject: question squid + firewall + http server inside firewall
> I have the below rules in my firewall. the http server is inside the
> firewall on 192.168.1.2:80
> people can hit it fine from the outside
> squid is running on the firewall
> inside can browser ouside via squid just fine
> inside cannot browse the outside address
> Any thought/input would be appreciated.
> # http server
> $PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \
> -s 0/0 --dport http \
> -j DNAT --to-destination 192.168.1.2:80
> $PROG -t mangle -A FORWARD -i $NIC_EXTERNAL -s 0/0 \
> -o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport http \
> -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
I've experienced a similar problem getting NAT'd external IPs to work internally.
The problem arose because whilst the destination address of a packet is being translated through DNAT the source address still remains untranslated as the internal adddess. This means that the returning packet was being sent to the internal address directly without passing through the firewall, thus to the internal machine it appears to originate from the internal IP and will be discarded because it isn't part of the TCP connection.
To remedy this you need a iptables rule to translate the source address of internal packets destined for the external address of the internal server to be the firewall machine's IP.
For example add a rule like:
iptables -t nat -A POSTROUTING -o $NIC_INTERNAL -p tcp \
-s 192.168.1.0/24 -d 192.168.1.2 --dport http \
-j SNAT --to-source $FIREWALL_IP
This way the internal http server will be sending it's responses to the firewall and NAT will be able to translate the addresses to correctly respond to the original packet.
I hope this helps; it's been a while since I had this problem and this is all from memory.
(03) 6224 4116