Re: Local to Local via firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 31 Jul 2009 17:24:19 +0100
Andrew Clayton <andrew@xxxxxxxxxxxxxxxxxx> wrote:

> On Fri, 31 Jul 2009 18:06:21 +0200, Thomas Jacob wrote:
> 
> > On Fri, 2009-07-31 at 14:42 +0100, Andrew Clayton wrote:
> > [.. accessing outside IPs on a NAT router from
> > the inside network ...]
> > 
> > > I can't help but think I'm missing something simple. Then again
> > > does what I'm trying to do make sense?
> > 
> > Just don't DNAT/SNAT packets from the internal network to
> > your public IPs, there is no need for it anyway.
> > 
> > e.g. do something like this before your other DNATs
> > 
> > $IPTABLES -t nat -A PREROUTING -i eth1 -s 192.168.0.0/16 -p tcp -d
> > $HOST_E -j RETURN
> > 
> > Plus, of course, you need to allow access to that IP/port from the
> > internal network in the INPUT chain of the filter table.
> 
> Thanks for the reply. Unfortunately with the above rule, the ssh just
> ends up going to the firewall and not the host. The firewall is
> configured with the IP address of $HOST_E which is where the DNAT
> comes in to change it to it's internal IP.
> 
> It seems what I'm trying to do now is something like:
> 
> internal (workstation)--> external ($HOST_E)--> internal ($HOST_I)
> 
> I could fudge /etc/hosts on machines with the hosts external DNS name
> pointing to its internal IP address, but doing it with the firewall
> seems better.
> 
> e.g 
> host.foo.co.uk has an IP of aaa.aaa.aaa.aaa (accessible from outside
> the office)
> host.foo.bar (internal only DNS name) has an IP of bbb.bbb.bbb.bbb
> 
> I can put 
> 
> bbb.bbb.bbb.bbb foo.co.uk
> 
> in my /etc/hosts file, and then ssh foo.co.uk, works.
> 
> But I do think the firewall is the proper place to do this.


I disagree - DNS is the proper place IMNSHO.  However, configuring
/etc/hosts on individual machines simply doesn't scale; instead, set
up a DNS server for your internal LAN (even run it on the firewall 
itself even), and have it resolve host.foo.bar.uk to bbb.bbb.bbb.bbb 
(the internal ip).

Have a look here for some helpful information:
  http://jengelh.medozas.de/links/iptables/
If you insist on avoiding the DNS solution, then pay attention to
the "Having NAT Issues?" link.

-RW

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux