[CentOS] firewall dilemma
Peter Farrow
peter at farrows.org
Thu Nov 3 11:08:51 UTC 2005
Alternatively,
run a DNS zone on the DNS server that has VIEWS enabled....
http://www.zytrax.com/books/dns/ch7/view.html
http://sysadmin.oreilly.com/news/views_0501.html
Or,
You can do some clever stuff and turn the packets around on the firewall
as follows:
Imagine $WEBSERVER is the internal address of your web server on the
private LAN, $INT_IFACE is the firewalls internal ethernet card and
$INT_IP is the firewalls internal IP address, then this command
redirects all port 80 requests back to the web server, making them look
like they came from the firewall:
(3)iptables -t nat -A POSTROUTING -p tcp --dport 80 --destination
$WEBSERVER --out-interface $INT_IFACE -j SNAT --to-source $INT_IP");
A line like this above in your firewall script can redirect all packets
from the outside thru to the webserver:
(1) iptables -t nat -A PREROUTING -p tcp --dport 80 -i $EXT_IFACE
--destination $EXT_IP -j DNAT --to $WEBSERVER");
You will need to allow these packets in the forward chain as well, this
works perfectly if even you have a transparent proxy running the firewall:
This line catches packets destined to the external IP address of the
webserver that came from the inside:
(2) iptables -t nat -A PREROUTING --destination $EXT_IP -p tcp --dport
80 -i $INT_IFACE -j DNAT --to $WEBSERVER:80");
Make sure the lines are included in the firewall in this order (1) (2) (3)
Hope this helps, this example was taken from a client of mine I set up
with an internal exchange server running outlook web access, redirected
through the firewall allowing webmail from the internet. and allowing
internal users to get it using: http://webmail.mydomain.com which
actually resolved to the external IP address of the firewall...
Regards
Pete
Ryan wrote:
>On Wednesday 02 November 2005 02:53 pm, JC wrote:
>
>
>>Hi everyone,
>>
>>I have this problem that I'm not sure what's the best solution for it. I
>>need your input & help...
>>
>>I have an internal network behind a hardware firewall. All traffics go
>>thru. the firewall. One of the firewall's rules is that it doesn't allow
>>internal network accesses internal resources that travels outside then
>>come back. In the other words, it drops all packets originate from inside
>>the network that travels outside and then come back to access internal
>>resources.
>>
>>For example: I have web server (used internal ip 10.1.1.10) behind the
>>firewall, internal network can access this web server with
>>http://10.1.1.10, but they can't access http://www.mydomain.com. Assume
>>that I have static IP (xxx.xxx.xxx.xxx) maps to 10.1.1.10 and dns record
>>www.mydomain.com points to xxx.xxx.xxx.xxx
>>
>>What I want is to allow users inside the network be able to access
>>http://www.mydomain.com instead of http://10.1.1.10
>>
>>Here is my question:
>>should I change the rule of the firewall? If so, is there a security
>>risk?
>>
>>Is there any other solution for this?
>>
>>By the way, I don't have an internal DNS, I use my ISP DNS service.
>>
>>Thank you so much for your help,
>>JC
>>
>>
>
>Modify the hosts file of your clients to point
>10.1.1.10 to www.mydomain.com
>
>
>Under windowsXP, open the file here: C:\WINDOWS\SYSTEM32\DRIVERS\ETC with
>notepad.
>
>add in a line:
>10.1.1.10 www.mydomain.com
>
>
>
>_______________________________________________
>CentOS mailing list
>CentOS at centos.org
>http://lists.centos.org/mailman/listinfo/centos
>
>
More information about the CentOS
mailing list