Re: getting to www servers from inside where they have an Internal IP
* Jan Luehr ([EMAIL PROTECTED]) [060130 06:32]: > Hello > > Am Sonntag, 29. Januar 2006 19:45 schrieb hanasaki: > > The goal is to have an internal webserver: > > - DONE - running on a high numbered port > > - DONE - firewall forwards 80-> on webserver > > - DONE - external hits on www.blah.com > > served by the httpserver > > - - internal/intranet also can hit > > the webserver as www.blah.com > > > > The problem is that www.blah.com resolves to the external internet IP > > and then gets routed out of the firewall which does not come back in and > > get forwarded to the internal webserver. It would be ideal if internal > > web browser hits went straight to the internal server. > > > > What iptable rule can be put on the firewall so that internal port 80 > > traffic going to the external NIC on port 80 comes back to the internal > > webserver on port ? > > iptables -t nat -A PREROUTING -s LOCAL-NETWORK -d $EXTERNAL-IP -p tcp --dport > 80 -j DNAT --to-destination $LOCALIP: This will only work if the firewall box is a router between the web server and the rest of the intranet. This will typically be the case in a 3-nic DMZ setup, but not in a 2-nic NAT setup. Do you run a DNS server? You may want to set it up so that internal clients resolve the web server's name to an internal address, and then have a port redirection rule (80->) on the web server itself. I think that will be the easiest thing to set up. good times, Vineet -- http://www.doorstop.net/ signature.asc Description: Digital signature
Re: getting to www servers from inside where they have an Internal IP
also sprach Yves Junqueira <[EMAIL PROTECTED]> [2006.02.01.1712 +0100]: > Bind9 implements "views". It can provide different resolutions to > the same domain for different networks/hosts. "bind9 view" is the > way to go, I guess. most nameservers do, but yes, this is what I meant. This, or a second nameserver. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "the less you know about computers the more you want micro$oft!" -- micro$oft ad campaign, circa 1996 (proof that micro$oft's advertising _isn't_ dishonest!) signature.asc Description: Digital signature (GPG/PGP)
Re: getting to www servers from inside where they have an Internal IP
2006/1/29, martin f krafft <[EMAIL PROTECTED]>: > This is hardly a topic for debian-security but anyway... > > also sprach hanasaki <[EMAIL PROTECTED]> [2006.01.29.1945 +0100]: > > What iptable rule can be put on the firewall so that internal port 80 > > traffic going to the external NIC on port 80 comes back to the internal > > webserver on port ? > > None that I know. I suggest using a second nameserver to resolve the > A record to the internal IP. > Bind9 implements "views". It can provide different resolutions to the same domain for different networks/hosts. "bind9 view" is the way to go, I guess. -- Yves Junqueira http://www.cetico.org BrasÃlia, Brasil
Re: getting to www servers from inside where they have an Internal IP
martin f krafft <[EMAIL PROTECTED]> wrote: > None that I know. I suggest using a second nameserver to resolve the > A record to the internal IP. "split brain dns" Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: getting to www servers from inside where they have an Internal IP
Michelle Konzack wrote: Am 2006-01-29 12:45:09, schrieb hanasaki: The goal is to have an internal webserver: - DONE - running on a high numbered port - DONE - firewall forwards 80-> on webserver - DONE - external hits on www.blah.com served by the httpserver - - internal/intranet also can hit the webserver as www.blah.com The problem is that www.blah.com resolves to the external internet IP and then gets routed out of the firewall which does not come back in and This is a problem with DNS-Loop-Back. Please search google for it. The solution is, to add an entry for the Webserver to your /etc/hosts. Greetings Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant If everything is on the same LAN using the same firewall you can do like this to route the packets correctly: Note I placed commonly known ip's in here -- not ours -- just so you have something to ref. # NAT into individual hosts; firewalled by FORWARD rules defined in this configuration earlier (not included in this snippet). # Prerouting -d is the public IP of the webserver --to-dest IP is the private IP address of said server. -A PREROUTING -d 128.101.101.101 -j DNAT --to-dest 192.168.2.2 # Fix up NAT from internal hosts # postrouting -s is LAN subnet, -d is LAN IP of web server --to-source is IP of gateway (firewall) -A POSTROUTING -s 192.168.2.0/24 -d 192.168.2.2/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.2.254 Hope this helps! Matt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: getting to www servers from inside where they have an Internal IP
Am 2006-01-29 12:45:09, schrieb hanasaki: > The goal is to have an internal webserver: > - DONE - running on a high numbered port > - DONE - firewall forwards 80-> on webserver > - DONE - external hits on www.blah.com > served by the httpserver > - - internal/intranet also can hit > the webserver as www.blah.com > > The problem is that www.blah.com resolves to the external internet IP > and then gets routed out of the firewall which does not come back in and This is a problem with DNS-Loop-Back. Please search google for it. The solution is, to add an entry for the Webserver to your /etc/hosts. Greetings Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: getting to www servers from inside where they have an Internal IP
Hello Am Sonntag, 29. Januar 2006 19:45 schrieb hanasaki: > The goal is to have an internal webserver: > - DONE - running on a high numbered port > - DONE - firewall forwards 80-> on webserver > - DONE - external hits on www.blah.com > served by the httpserver > - - internal/intranet also can hit > the webserver as www.blah.com > > The problem is that www.blah.com resolves to the external internet IP > and then gets routed out of the firewall which does not come back in and > get forwarded to the internal webserver. It would be ideal if internal > web browser hits went straight to the internal server. > > What iptable rule can be put on the firewall so that internal port 80 > traffic going to the external NIC on port 80 comes back to the internal > webserver on port ? iptables -t nat -A PREROUTING -s LOCAL-NETWORK -d $EXTERNAL-IP -p tcp --dport 80 -j DNAT --to-destination $LOCALIP: > Is there a way to make squid get all hits to a specific address (the > external) from a diff address (the internal)? I tried jares redirector > but that changes the URL and the web server uses virtual hosts. Sorry, I don't get that one. Google either for "reverse squid" or (another topic) take a look at http://www.tldp.org/HOWTO/TransparentProxy.html I guess, you are refering to one of these issues, but I don't know exactly. > I am using a squid proxy on host:proxyhttp:8080 that is not transparent > (ie: needs the proxy manually configured in the web browsers). This is > because transparent proxies don't work for ports other than 80, unless > they are configured for each outgoing http port, which then always goes > via squid and cannot be used for any other purpose. You can also specify port ranges when using iptables... Furthermore you may detect http-traffic on protocol level. Some iptables based p2p-block approaches like p2pwall [1] use this technique. > Ran into this when > trying to hit a CPanel at a web hoster that was on some high numbered port. Keep smiling yanosz [1]http://www.lowth.com/p2pwall/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: getting to www servers from inside where they have an Internal IP
This is hardly a topic for debian-security but anyway... also sprach hanasaki <[EMAIL PROTECTED]> [2006.01.29.1945 +0100]: > What iptable rule can be put on the firewall so that internal port 80 > traffic going to the external NIC on port 80 comes back to the internal > webserver on port ? None that I know. I suggest using a second nameserver to resolve the A record to the internal IP. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "we have a firm commitment to nato, we are a part of nato. we have a firm commitment to europe. we are a part of europe." - george w. bush signature.asc Description: Digital signature (GPG/PGP)
getting to www servers from inside where they have an Internal IP
The goal is to have an internal webserver: - DONE - running on a high numbered port - DONE - firewall forwards 80-> on webserver - DONE - external hits on www.blah.com served by the httpserver - - internal/intranet also can hit the webserver as www.blah.com The problem is that www.blah.com resolves to the external internet IP and then gets routed out of the firewall which does not come back in and get forwarded to the internal webserver. It would be ideal if internal web browser hits went straight to the internal server. What iptable rule can be put on the firewall so that internal port 80 traffic going to the external NIC on port 80 comes back to the internal webserver on port ? Is there a way to make squid get all hits to a specific address (the external) from a diff address (the internal)? I tried jares redirector but that changes the URL and the web server uses virtual hosts. I know this will work if i setup the host/domain www.blah.com on internal dns so it resolves to the internal server IP. It would also probably work with some fancy proxy config pac for the proxy setup in IE/Firefox. The DNS solution is high maintenance (hosts change quite often for business reasons). The proxy pac is, from what i understand fallen in disfavor and a bit of a pain to admin and keep working over both IE and Firefox. Proxy pac's also require an internal website to get them from in the config. We need to minimize user involvement in setup and also minimize overhead. Any tips? anyone doing this now and care to share their solutions? Any alternative approaches or ways to accomplish what is needed? ===network Internal workstations (10.x.x.x) Internal webserver: (10.x.x.x) Squid Proxy : 8080 ^ | intranet | =|== firewall w/ NAT == internet | | V The Ugly World web browsers hit firewall on :80 ===/network == proxies and http I am using a squid proxy on host:proxyhttp:8080 that is not transparent (ie: needs the proxy manually configured in the web browsers). This is because transparent proxies don't work for ports other than 80, unless they are configured for each outgoing http port, which then always goes via squid and cannot be used for any other purpose. Ran into this when trying to hit a CPanel at a web hoster that was on some high numbered port. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
