Re: lan users surfing on lan webserver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm trying this one one more time, since I still haven't found a
solution.
I have moved a webserver behind my iptables-firewall.
Outside dns for this webserver still points to its external ip-address,
so I've set up the firewall to listen to this ip-address (ethx-alias),
and forward the traffic to the internal webserver using DNAT. This
works.
However, the clients on the LAN cannot use the external URL to surf to
this machine, they have to use its internal ip-address (I know I could
set up Bind on the inside, but I'm trying to avoid this).
I'm using the solutions suggested in the NAT-Howto:

  http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html

but the traffic is not reaching the internal webserver.

Using tcp-dump, I see that when the client tries to connect to

http://$external_url/

it connects to the ethX-alias on the firewall (the webservers old
ip-address), and thus gets a "Connection refused", since the firewall
isn't running a webserver - it's only supposed to forward the traffic
bound for this ip-address to the internal webserver. But the forwarding
is not working when initiated from the LAN.

I have this relevant FORWARD chain:
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -d $EXTWEBSERVER1 --dport 80 -j ACCEPT

PREROUTING:
$IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTWEBSERVER1 -p tcp \
--dport 80 -j DNAT --to $INTWEBSERVER1

POSTROUTING (http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html)

$IPTABLES -t nat -A POSTROUTING -d $INTWEBSERVER1 -s $INTRANET -p tcp \
--dport 80 -j SNAT --to-source 192.168.1.20

192.168.1.20 being the firewalls LAN-address...

- M


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux