getting to www servers from inside where they have an Internal IP
Jeremy Fowler
JFowler at westrope.com
Mon Jan 30 09:38:59 CST 2006
> The "wacky" port numbers for the httpd are to keep it off low numbered
> ports and run as non-root. Any suggestions for something
> better and how
> to do it?
Well, I think the only security reason to run an http server on a port other than 80 is to hide it from the general public. Port scanners can get around this hurdle quite easily though. Plus, the fact that you SNAT port 80 to that high number port, as far as I can see, makes it useless. Might as well just run the server on port 80 and save yourself some potential headaches.
> ah.. "split dns" cute term... what iptables rules can be put in the
> firewall to bounce the traffic back? Tried it and failed :(
Split DNS has nothing to do with iptables. Its just telling your DNS server to resolve a host to a different address if the request comes from inside your network. It would be the ideal solution. Just host you http server on port 80, and split your DNS to resolve local requests to the internal IP. Problem solved.
However, if you insist on keeping the high port, you could still DNAT requests for the external IP of your http server back to the internal IP:port. So anything going to port 80 of the external IP address of your webserver thru your firewall is redirected back into your network. Try this:
Assuming:
External IP of HTTP Server: 63.63.63.63
Internal IP of HTTP Server: 10.1.1.3
External Port of HTTP Server: 80
Internal Port of HTTP Server: 7777
External interface of your firewall: eth0
Internal interface of your firewall: eth1
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 63.63.63.63 \
--dport 80 -j DNAT --to-destination 10.1.1.3:7777
More information about the Kclug
mailing list