Re: getting to www servers from inside where they have an Internal IP

To: debian-security@lists.debian.org
Subject: Re: getting to www servers from inside where they have an Internal IP
From: Jan Luehr <jan@kabelwelt-shop.de>
Date: Mon, 30 Jan 2006 15:13:33 +0100
Message-id: <[🔎] 200601301513.33786.jan@kabelwelt-shop.de>
In-reply-to: <[🔎] 43DD0D35.1000409@hanaden.com>
References: <[🔎] 43DD0D35.1000409@hanaden.com>

Hello

Am Sonntag, 29. Januar 2006 19:45 schrieb hanasaki:
> The goal is to have an internal webserver:
> 	- DONE - running on a high numbered port
> 	- DONE - firewall forwards 80->7777 on webserver
> 	- DONE - external hits on www.blah.com
> 		served by the httpserver
> 	- ???? - internal/intranet also can hit
> 		the webserver as www.blah.com
>
> The problem is that www.blah.com resolves to the external internet IP
> and then gets routed out of the firewall which does not come back in and
> get forwarded to the internal webserver.  It would be ideal if internal
> web browser hits went straight to the internal server.
>
> What iptable rule can be put on the firewall so that internal port 80
> traffic going to the external NIC on port 80 comes back to the internal
> webserver on port 7777?

iptables -t nat -A PREROUTING -s LOCAL-NETWORK -d $EXTERNAL-IP -p tcp --dport 
80 -j DNAT --to-destination $LOCALIP:7777

> Is there a way to make squid get all hits to a specific address (the
> external) from a diff address (the internal)?  I tried jares redirector
> but that changes the URL and the web server uses virtual hosts.

Sorry, I don't get that one. 
Google either for "reverse squid" or (another topic) take a look at  
http://www.tldp.org/HOWTO/TransparentProxy.html

I guess, you are refering to one of these issues, but I don't know exactly.

> I am using a squid proxy on host:proxyhttp:8080 that is not transparent
> (ie: needs the proxy manually configured in the web browsers).  This is
> because transparent proxies don't work for ports other than 80, unless
> they are configured for each outgoing http port, which then always goes
> via squid and cannot be used for any other purpose.  

You can also specify port ranges when using iptables...
Furthermore you may detect http-traffic on protocol level. Some iptables based 
p2p-block approaches like p2pwall [1] use this technique.

> Ran into this when 
> trying to hit a CPanel at a web hoster that was on some high numbered port.

Keep smiling
yanosz

[1]http://www.lowth.com/p2pwall/

Reply to:

References:
- getting to www servers from inside where they have an Internal IP
  - From: hanasaki <hanasaki@hanaden.com>

Prev by Date: Re: "Fix" of sudo with DSA-946-1
Next by Date: unsubscribe
Previous by thread: Re: getting to www servers from inside where they have an Internal IP
Next by thread: Re: evenings
Index(es):
- Date
- Thread