[CentOS] firewall dilemma

Peter Farrow peter at farrows.org
Thu Nov 3 11:08:51 UTC 2005


run a DNS zone on the DNS server that has VIEWS enabled....



You can do some clever stuff and turn the packets around on the firewall 
as follows:

Imagine $WEBSERVER is the internal address of your web server on the 
private LAN, $INT_IFACE is the firewalls internal ethernet card and 
$INT_IP is the firewalls internal IP address, then this command 
redirects all port 80 requests back to the web server, making them look 
like they came from the firewall:

(3)iptables -t nat -A POSTROUTING -p tcp --dport 80 --destination 
$WEBSERVER --out-interface $INT_IFACE -j SNAT --to-source $INT_IP");

A line like this above in your firewall script can redirect all packets 
from the outside thru to the webserver:

(1)  iptables -t nat -A PREROUTING -p tcp --dport 80 -i $EXT_IFACE 
--destination $EXT_IP -j DNAT --to $WEBSERVER");

You will need to allow these packets in the forward chain as well,  this 
works perfectly if even you have a transparent proxy running the firewall:

This line catches packets destined to the external IP address of the 
webserver that came from the inside:

(2) iptables -t nat -A PREROUTING --destination $EXT_IP -p tcp --dport 
80 -i $INT_IFACE -j DNAT --to $WEBSERVER:80");

Make sure the lines are included in the firewall in this order (1) (2) (3)

Hope this helps,  this example was taken from a client of mine I set up 
with an internal exchange server running outlook web access, redirected 
through the firewall allowing webmail from the internet. and allowing 
internal users to get it using: http://webmail.mydomain.com which 
actually resolved to the external IP address of the firewall...



Ryan wrote:

>On Wednesday 02 November 2005 02:53 pm, JC wrote:
>>Hi everyone,
>>I have this problem that I'm not sure what's the best solution for it.  I
>>need your input & help...
>>I have an internal network behind a hardware firewall.  All traffics go
>>thru. the firewall.  One of the firewall's rules is that it doesn't allow
>>internal network accesses internal resources that travels outside then
>>come back.  In the other words, it drops all packets originate from inside
>>the network that travels outside and then come back to access internal
>>For example: I have web server (used internal ip behind the
>>firewall, internal network can access this web server with
>>, but they can't access http://www.mydomain.com.  Assume
>>that I have static IP (xxx.xxx.xxx.xxx) maps to and dns record
>>www.mydomain.com points to xxx.xxx.xxx.xxx
>>What I want is to allow users inside the network be able to access
>>http://www.mydomain.com instead of
>>Here is my question:
>>should I change the rule of the firewall?  If so, is there a security
>>Is there any other solution for this?
>>By the way, I don't have an internal DNS, I use my ISP DNS service.
>>Thank you so much for your help,
>Modify the hosts file of your clients to point
> to www.mydomain.com
>Under windowsXP, open the file here: C:\WINDOWS\SYSTEM32\DRIVERS\ETC with 
>add in a line:
> 	www.mydomain.com
>CentOS mailing list
>CentOS at centos.org

More information about the CentOS mailing list