outsource from india chennai india programmers freelance php coder freelance outsource scripts programming complicated perl patterns php module installation
outsource from india perl installation and configuration php installation linux system administration US$15,US$19,US$11,US$10 cheap programmer
india outsource outsource india chennai india programmers php perl mysql freelance freelance programmer
SHOWCASE of php and perl scripts CONTACT US for php custom perl scripts
HOME
 
Linux IP Masquerade HOWTO
PrevChapter 7. Frequently Asked QuestionsNext

7.19. ( PORTFW - Locally ) - I can't reach my PORTFWed server from the INTERNAL lan

This is a common problem which is explained in in Section 6.7 under "Note #2".

Basically, say your domain, acme.com, has an external IP address is 1.2.3.4 and you are PORTFWing all WWW traffic to an internal machine, say, 192.168.1.20. Then as an /internal/ user, you are trying to contact to http://www.acme.com and expect things to work. Well, that isn't correct. Basically, http://www.acme.com is being resolved to the IP of http://1.2.3.4. What you really should doing is contacting http://192.168.1.20.

See the difference?

The proper solution to this is to setup a SPLIT DNS server. Internal users would be configured to use the /internal/ DNS server which would reply with the 192.168.1.20 address when asked for www.acme.com. All external users will get a reply from the /external/ server resolving to the the 1.2.3.4 IP address. From there, IPTABLES/IPCHAINS/IPFWADM would then PORTFW the traffic to the 192.168.1.20 server like normal.

Another alternative if you only have a few internal machines is to setup a "hosts" file entry on all internal machines. That entry would basically look like:

www.acme.com    192.168.1.20

Got it? If you are interested in doing the more scalable DNS approach, TrinityOS completely covers split and chrooted DNS servers. TrinityOS - Section 24 http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos

Now, if the split DNS server or hosts file idea doesn't interest you, you can add the following line to your firewall ruleset. Please note that this section currently doesn't cover the use of REDIR. If you need help with REDIR, send me an email.

# $IPTABLES - this is the full path to where your copy
#             of iptables is
#
# $PORTFW   - this is the IP address of the internal WWW 
#             server
#
# $INTLAN   - this is the network of your internal MASQed
#             network.  e.g. 192.168.1.0/24
#
# $INTIP    - this is the internal IP address of the 
#             MASQ server

$IPTABLES -t nat -A POSTROUTING -d $PORTFW -s $INTLAN \
        -p tcp --dport 80 -j SNAT --to $INTIP

The problem with this approach is that every packet will be going from the MASQed web client, to the MASQ server, to the MASQed WWW server, and back again. This is very wasteful on both network bandwidth and server CPU!

PrevHomeNext
( PORTFW ) - IP Masquerading with PORTFWing seems to break when my line is idle for long periodsUp( Logs ) - Now that I have IP Masquerading up, I'm getting all sorts of weird notices and errors in the SYSLOG log files. How do I read the IPTABLES/IPCHAINS/IPFWADM firewall errors?

Linux HOWTO full list
   This document, LDP HOWTO-INDEX, is copyrighted (c) 1995 - 2002 by Tim Bynum, Guylhem Aznar, Joshua Drake and Greg Ferguson. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at http://www.gnu.org/copyleft/fdl.html. If you have questions, please contact the LDP.
Web Design Copyright © 1999-2003. Chrisranjana Software Solutions Pvt Ltd. syndicate rss feed