LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/IP-Masquerade-HOWTO/portfw-local.html

225 lines
5.6 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML
><HEAD
><TITLE
>( PORTFW - Locally ) - I can't reach my PORTFWed server from the INTERNAL lan</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Linux IP Masquerade HOWTO"
HREF="index.html"><LINK
REL="UP"
TITLE="Frequently Asked Questions"
HREF="faq.html"><LINK
REL="PREVIOUS"
TITLE="( PORTFW ) - IP Masquerading with PORTFWing seems to break when my line
is idle for long periods"
HREF="portfw-issues.html"><LINK
REL="NEXT"
TITLE="( Logs ) - Now that I have IP Masquerading up, I'm getting all sorts of weird
notices and errors in the SYSLOG log files. How do I read the IPTABLES/IPCHAINS/IPFWADM
firewall errors?"
HREF="masq-logs.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Linux IP Masquerade HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="portfw-issues.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 7. Frequently Asked Questions</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="masq-logs.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="PORTFW-LOCAL"
></A
>7.19. ( PORTFW - Locally ) - I can't reach my PORTFWed server from the INTERNAL lan</H1
><P
>Basically, say your domain, acme.com, has an external IP address of 1.2.3.4
and you are PORTFWing all WWW traffic to an internal machine, say,
192.168.0.20/24. Then an /internal/ user on the 192.169.0.x network tries to
contact to http://www.acme.com and expects things to work. Well, that isn't
going to happen with a basic config. Let me explain. Basically,
http://www.acme.com is being resolved to the IP of http://1.2.3.4 by your
chosen DNS server. What really should be happening is the web request should
resolve that request to http://192.168.0.20.</P
><P
>See the difference?</P
><P
>The proper solution to this is to setup a SPLIT DNS server. Internal users
would be configured to use an /internal/ DNS server which would resolve
requests like this with the 192.168.0.20 address when asked for www.acme.com.
All external users should be serviced by an /external/ DNS server which will
will resolve the requrest to the 1.2.3.4 IP address. From there,
IPTABLES/IPCHAINS/IPFWADM would then PORTFW the traffic to the 192.168.0.20
server as normal.</P
><P
>But you're probably thinking that you don't want to setup a split DNS server
and there has to be another way. There are a few alternatives! The first
alternative is if you only have a few internal machines. Here, you can
setup a "hosts" file entry on *all* internal machines. That static hosts entry
would basically look like:</P
><P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>www.acme.com 192.168.0.20</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
>Got it? With that in place, the machine would consult the hosts table before
going to the DNS server to resolve the host. This works well but if you change
the IP address on that internal web server, you're going to need to manually
update the hosts file on all of those internal machines. If you are
interested in doing the more scalable split DNS approach, TrinityOS completely
covers split and chrooted DNS servers.
<A
HREF="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#TrinityOS"
TARGET="_top"
>TrinityOS - Section 24</A
>
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos</P
><P
>Now, if neither the split DNS nor the hosts file approach interests you, you
still have a simple but effective alternative to get things working. What you
can do is add some specific rules to your rc.firewall-* ruleset. Please see
the "PORTFW Redirection of Internal requests" section under the
<A
HREF="forwarders.html"
>Section 6.7</A
> chapter.</P
><P
>Why didn't I mention this alternative solution first? The main reason is
that it's not the ideal solution. The primary problem with this approach is
that every packet will be going from the internal MASQed client to the MASQ
server. There, the MASQ server will SNAT each packet to the internal MASQed
WWW server's IP and then forward it to the internal web server. Once the
packet is received and responded to by the web server, that response has to
go back through all that processing back to the original client machine. This
process is overly wasteful on both network bandwidth and MASQ server CPU
cycles!</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="portfw-issues.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="masq-logs.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>( PORTFW ) - IP Masquerading with PORTFWing seems to break when my line
is idle for long periods</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="faq.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>( Logs ) - Now that I have IP Masquerading up, I'm getting all sorts of weird
notices and errors in the SYSLOG log files. How do I read the IPTABLES/IPCHAINS/IPFWADM
firewall errors?</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink