Alternatively,
run a DNS zone on the DNS server that has VIEWS enabled....
http://www.zytrax.com/books/dns/ch7/view.html
http://sysadmin.oreilly.com/news/views_0501.html
Or, You can do some clever stuff and turn the packets around on the firewall as follows:
Imagine $WEBSERVER is the internal address of your web server on the private LAN, $INT_IFACE is the firewalls internal ethernet card and $INT_IP is the firewalls internal IP address, then this command redirects all port 80 requests back to the web server, making them look like they came from the firewall:
(3)iptables -t nat -A POSTROUTING -p tcp --dport 80 --destination $WEBSERVER --out-interface $INT_IFACE -j SNAT --to-source $INT_IP");
A line like this above in your firewall script can redirect all packets from the outside thru to the webserver:
(1) iptables -t nat -A PREROUTING -p tcp --dport 80 -i $EXT_IFACE --destination $EXT_IP -j DNAT --to $WEBSERVER");
You will need to allow these packets in the forward chain as well, this works perfectly if even you have a transparent proxy running the firewall:
This line catches packets destined to the external IP address of the webserver that came from the inside:
(2) iptables -t nat -A PREROUTING --destination $EXT_IP -p tcp --dport 80 -i $INT_IFACE -j DNAT --to $WEBSERVER:80");
Make sure the lines are included in the firewall in this order (1) (2) (3)
Hope this helps, this example was taken from a client of mine I set up with an internal exchange server running outlook web access, redirected through the firewall allowing webmail from the internet. and allowing internal users to get it using: http://webmail.mydomain.com which actually resolved to the external IP address of the firewall...
Regards
Pete
Ryan wrote:
On Wednesday 02 November 2005 02:53 pm, JC wrote:
Hi everyone,
I have this problem that I'm not sure what's the best solution for it. I need your input & help...
I have an internal network behind a hardware firewall. All traffics go thru. the firewall. One of the firewall's rules is that it doesn't allow internal network accesses internal resources that travels outside then come back. In the other words, it drops all packets originate from inside the network that travels outside and then come back to access internal resources.
For example: I have web server (used internal ip 10.1.1.10) behind the firewall, internal network can access this web server with http://10.1.1.10, but they can't access http://www.mydomain.com. Assume that I have static IP (xxx.xxx.xxx.xxx) maps to 10.1.1.10 and dns record www.mydomain.com points to xxx.xxx.xxx.xxx
What I want is to allow users inside the network be able to access http://www.mydomain.com instead of http://10.1.1.10
Here is my question: should I change the rule of the firewall? If so, is there a security risk?
Is there any other solution for this?
By the way, I don't have an internal DNS, I use my ISP DNS service.
Thank you so much for your help, JC
Modify the hosts file of your clients to point 10.1.1.10 to www.mydomain.com
Under windowsXP, open the file here: C:\WINDOWS\SYSTEM32\DRIVERS\ETC with notepad.
add in a line: 10.1.1.10 www.mydomain.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos