getting to www servers from inside where they have an Internal IP
Charles Steinkuehler
charles at steinkuehler.net
Sun Jan 29 07:05:18 CST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hanasaki wrote:
> of course its Linux! i am feeling a bit insulted that anyone would think
> otherwise ;) grin
>
> The "wacky" port numbers for the httpd are to keep it off low numbered
> ports and run as non-root. Any suggestions for something better and how
> to do it?
>
> ah.. "split dns" cute term... what iptables rules can be put in the
> firewall to bounce the traffic back? Tried it and failed :(
It's been a while since I set something like this up, and it was with a
2.2 kernel and ipchains, not iptables.
tcpdump will be your friend...you need to make sure the packets are
getting properly mangled by your firewall in both directions. If that's
happening correctly, the client and web server should "just work".
What's probably happening with a basic port-forward rule in place is the
client sends a request to the FW. The FW modifies the destination
IP:port and sends the request to the web-server. The web-server sees
the actual source IP of your internal machine, and sends the reply
directly to it instead of to the firewall (so it can get un-mangled).
If the above assumption is correct, I think you need to add a MASQUERADE
rule to the traffic from your local IP range as it leaves the firewall,
giving it the IP address of your FW box instead of your client system.
...but all bets are off w/o TCP dumps of the input and output traffic
from your firewall and/or web server and client systems.
- --
Charles Steinkuehler
charles at steinkuehler.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD3L2OLywbqEHdNFwRAvEiAJwMoGKKjgNRUVmRIVXSBFSYu9wIRgCfUmnw
afOqAldvhMBsmQKr8R10EGI=
=tCbT
-----END PGP SIGNATURE-----
More information about the Kclug
mailing list