From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marek Dohojda Subject: Re: web server in DMZ Date: Tue, 28 Sep 2004 08:14:54 -0700 Sender: netfilter-bounces@lists.netfilter.org Message-ID: <41597FEE.9010401@cisco.com> References: <1096381048.2330.47.camel@wolfpack.ljm.dom> <1096383819.2330.50.camel@wolfpack.ljm.dom> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1096383819.2330.50.camel@wolfpack.ljm.dom> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Jason Opperisano Cc: netfilter@lists.netfilter.org Just create SNAT to that webserver so that whenever they try to go to the external address it get mangled and visible via its internal IP. Or you could play with advance routing wihch is a pain in this case. Jason Opperisano wrote: > On Tue, 2004-09-28 at 10:44, hamals@infinito.it wrote: > >>well I think this is a very good solution, but I can't >>understand the following: >> >>hosts in my LAN go in internet with a snat using x.x.x.50 >>ip address, and everythings is working; my web server is >>accessible from outside, then why my inside hosts can't >>access to him (with x.x.x.50 IP)? my hosts should see my >>web server like any web server on the net....right? >>what is wrong in this concept? > > > routing. there's nothing "wrong" with the concept; it's just that when > you want to alter how normal routing works, you need to understand it in > order to break it. > > -j >