[CentOS] firewall dilemma

Peter Farrow peter at farrows.org
Thu Nov 3 11:08:51 UTC 2005


Alternatively,

run a DNS zone on the DNS server that has VIEWS enabled....

http://www.zytrax.com/books/dns/ch7/view.html

http://sysadmin.oreilly.com/news/views_0501.html

Or,
You can do some clever stuff and turn the packets around on the firewall 
as follows:

Imagine $WEBSERVER is the internal address of your web server on the 
private LAN, $INT_IFACE is the firewalls internal ethernet card and 
$INT_IP is the firewalls internal IP address, then this command 
redirects all port 80 requests back to the web server, making them look 
like they came from the firewall:

(3)iptables -t nat -A POSTROUTING -p tcp --dport 80 --destination 
$WEBSERVER --out-interface $INT_IFACE -j SNAT --to-source $INT_IP");

A line like this above in your firewall script can redirect all packets 
from the outside thru to the webserver:

(1)  iptables -t nat -A PREROUTING -p tcp --dport 80 -i $EXT_IFACE 
--destination $EXT_IP -j DNAT --to $WEBSERVER");

You will need to allow these packets in the forward chain as well,  this 
works perfectly if even you have a transparent proxy running the firewall:

This line catches packets destined to the external IP address of the 
webserver that came from the inside:

(2) iptables -t nat -A PREROUTING --destination $EXT_IP -p tcp --dport 
80 -i $INT_IFACE -j DNAT --to $WEBSERVER:80");

Make sure the lines are included in the firewall in this order (1) (2) (3)

Hope this helps,  this example was taken from a client of mine I set up 
with an internal exchange server running outlook web access, redirected 
through the firewall allowing webmail from the internet. and allowing 
internal users to get it using: http://webmail.mydomain.com which 
actually resolved to the external IP address of the firewall...

Regards

Pete



Ryan wrote:

>On Wednesday 02 November 2005 02:53 pm, JC wrote:
>  
>
>>Hi everyone,
>>
>>I have this problem that I'm not sure what's the best solution for it.  I
>>need your input & help...
>>
>>I have an internal network behind a hardware firewall.  All traffics go
>>thru. the firewall.  One of the firewall's rules is that it doesn't allow
>>internal network accesses internal resources that travels outside then
>>come back.  In the other words, it drops all packets originate from inside
>>the network that travels outside and then come back to access internal
>>resources.
>>
>>For example: I have web server (used internal ip 10.1.1.10) behind the
>>firewall, internal network can access this web server with
>>http://10.1.1.10, but they can't access http://www.mydomain.com.  Assume
>>that I have static IP (xxx.xxx.xxx.xxx) maps to 10.1.1.10 and dns record
>>www.mydomain.com points to xxx.xxx.xxx.xxx
>>
>>What I want is to allow users inside the network be able to access
>>http://www.mydomain.com instead of http://10.1.1.10
>>
>>Here is my question:
>>should I change the rule of the firewall?  If so, is there a security
>>risk?
>>
>>Is there any other solution for this?
>>
>>By the way, I don't have an internal DNS, I use my ISP DNS service.
>>
>>Thank you so much for your help,
>>JC
>>    
>>
>
>Modify the hosts file of your clients to point
>10.1.1.10 to www.mydomain.com
>
>
>Under windowsXP, open the file here: C:\WINDOWS\SYSTEM32\DRIVERS\ETC with 
>notepad.
>
>add in a line:
>10.1.1.10 	www.mydomain.com
>
>
>
>_______________________________________________
>CentOS mailing list
>CentOS at centos.org
>http://lists.centos.org/mailman/listinfo/centos
>  
>




More information about the CentOS mailing list