web server in DMZ

All of lore.kernel.org
 help / color / mirror / Atom feed

* web server in DMZ
@ 2004-09-28 10:21 hamals
  2004-09-28 10:40 ` John A. Sullivan III
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: hamals @ 2004-09-28 10:21 UTC (permalink / raw)
  To: netfilter

I have a big problem

I have a web server in my DMZ, I reach it with his 
internal IP 192.168.1.10 from my internal LAN, but I can't 
reach them with his public IP.

I did a DNAT and from internet everythings is ok, my web 
server is working in right by DNAT.

Where is the problem?
_______________________________________
Connessione ed e-mail gratuita da 10 mb
consultabile tramite web e tramite pop.
www.infinito.it vieni a scoprire tutti 
i nostri servizi!

http://www.infinito.it/xmail

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: web server in DMZ
  2004-09-28 10:21 web server in DMZ hamals
@ 2004-09-28 10:40 ` John A. Sullivan III
  2004-09-28 14:17 ` Jason Opperisano
  2004-09-28 14:27 ` Jose Maria Lopez
  2 siblings, 0 replies; 8+ messages in thread
From: John A. Sullivan III @ 2004-09-28 10:40 UTC (permalink / raw)
  To: hamals; +Cc: netfilter

On Tue, 2004-09-28 at 06:21, hamals@infinito.it wrote:
> I have a big problem
> 
> I have a web server in my DMZ, I reach it with his 
> internal IP 192.168.1.10 from my internal LAN, but I can't 
> reach them with his public IP.
> 
> I did a DNAT and from internet everythings is ok, my web 
> server is working in right by DNAT.
> 
> Where is the problem?
<snip>
There could be several causes.  Did you remember to bind the public
address to the public firewall NIC so that it responds to ARP requests?

For example, if the firewall is at 1.1.1.2 and you want the web server
to be at 1.1.1.3 then do

ip add address 1.1.1.3/24(or whatever the mask bit count is) dev eth0(or
whatever the device name is) brd +

You can find a short slide show on using the ip command at
http://iscs.sourceforge.net 

Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: web server in DMZ
  2004-09-28 10:21 web server in DMZ hamals
  2004-09-28 10:40 ` John A. Sullivan III
@ 2004-09-28 14:17 ` Jason Opperisano
  2004-09-28 14:44   ` hamals
  2004-09-28 14:27 ` Jose Maria Lopez
  2 siblings, 1 reply; 8+ messages in thread
From: Jason Opperisano @ 2004-09-28 14:17 UTC (permalink / raw)
  To: netfilter

On Tue, 2004-09-28 at 06:21, hamals@infinito.it wrote:
> I have a big problem
> 
> I have a web server in my DMZ, I reach it with his 
> internal IP 192.168.1.10 from my internal LAN, but I can't 
> reach them with his public IP.
> 
> I did a DNAT and from internet everythings is ok, my web 
> server is working in right by DNAT.
> 
> Where is the problem?

are you asking how to connect to the web server from the inside by its
public IP address?  if so, you just need another DNAT rule, probably:

  iptables -t nat -A PREROUTING -i $INSIDE_IF -p tcp -d $WWW_PUB_IP \
    --dport 80 -j DNAT --to-destination 192.168.1.10

-j

-- 
Jason Opperisano <opie@817west.com>



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: web server in DMZ
  2004-09-28 14:17 ` Jason Opperisano
@ 2004-09-28 14:44   ` hamals
  2004-09-28 15:03     ` Jason Opperisano
  0 siblings, 1 reply; 8+ messages in thread
From: hamals @ 2004-09-28 14:44 UTC (permalink / raw)
  To: netfilter

On Tue, 28 Sep 2004 10:17:29 -0400
  Jason Opperisano <opie@817west.com> wrote:

> 
> are you asking how to connect to the web server from the 
>inside by its
> public IP address?

yes

>if so, you just need another DNAT 
>rule, probably:
> 
>  iptables -t nat -A PREROUTING -i $INSIDE_IF -p tcp -d 
>$WWW_PUB_IP \
>    --dport 80 -j DNAT --to-destination 192.168.1.10
> 
> -j
> 
> -- 
> Jason Opperisano <opie@817west.com>
> 
> 

well I think this is a very good solution, but I can't 
understand the following:

hosts in my LAN go in internet with a snat using x.x.x.50 
ip address, and everythings is working; my web server is 
accessible from outside, then why my inside hosts can't 
access to him (with x.x.x.50 IP)? my hosts should see my 
web server like any web server on the net....right?
what is wrong in this concept?

_______________________________________
Connessione ed e-mail gratuita da 10 mb
consultabile tramite web e tramite pop.
www.infinito.it vieni a scoprire tutti 
i nostri servizi!

http://www.infinito.it/xmail

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: web server in DMZ
  2004-09-28 14:44   ` hamals
@ 2004-09-28 15:03     ` Jason Opperisano
  2004-09-28 15:14       ` Marek Dohojda
  0 siblings, 1 reply; 8+ messages in thread
From: Jason Opperisano @ 2004-09-28 15:03 UTC (permalink / raw)
  To: netfilter

On Tue, 2004-09-28 at 10:44, hamals@infinito.it wrote:
> well I think this is a very good solution, but I can't 
> understand the following:
> 
> hosts in my LAN go in internet with a snat using x.x.x.50 
> ip address, and everythings is working; my web server is 
> accessible from outside, then why my inside hosts can't 
> access to him (with x.x.x.50 IP)? my hosts should see my 
> web server like any web server on the net....right?
> what is wrong in this concept?

routing.  there's nothing "wrong" with the concept; it's just that when
you want to alter how normal routing works, you need to understand it in
order to break it.

-j

-- 
Jason Opperisano <opie@817west.com>



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: web server in DMZ
  2004-09-28 15:03     ` Jason Opperisano
@ 2004-09-28 15:14       ` Marek Dohojda
  2004-09-29  9:35         ` hamals
  0 siblings, 1 reply; 8+ messages in thread
From: Marek Dohojda @ 2004-09-28 15:14 UTC (permalink / raw)
  To: Jason Opperisano; +Cc: netfilter

Just create SNAT to that webserver so that whenever they try to go to 
the external address it get mangled and visible via its internal IP.  Or 
you could play with advance routing wihch is a pain in this case.

Jason Opperisano wrote:
> On Tue, 2004-09-28 at 10:44, hamals@infinito.it wrote:
> 
>>well I think this is a very good solution, but I can't 
>>understand the following:
>>
>>hosts in my LAN go in internet with a snat using x.x.x.50 
>>ip address, and everythings is working; my web server is 
>>accessible from outside, then why my inside hosts can't 
>>access to him (with x.x.x.50 IP)? my hosts should see my 
>>web server like any web server on the net....right?
>>what is wrong in this concept?
> 
> 
> routing.  there's nothing "wrong" with the concept; it's just that when
> you want to alter how normal routing works, you need to understand it in
> order to break it.
> 
> -j
> 


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: web server in DMZ
  2004-09-28 15:14       ` Marek Dohojda
@ 2004-09-29  9:35         ` hamals
  0 siblings, 0 replies; 8+ messages in thread
From: hamals @ 2004-09-29  9:35 UTC (permalink / raw)
  To: Marek Dohojda; +Cc: netfilter

On Tue, 28 Sep 2004 08:14:54 -0700
  Marek Dohojda <mdohojda@cisco.com> wrote:
> Just create SNAT to that webserver so that whenever they 
>try to go to the external address it get mangled and 
>visible via its internal IP.  Or you could play with 
>advance routing wihch is a pain in this case.

I've just create a snat for my internal hosts so they go 
to outside with a public ip, but this solutions is not 
working.

_______________________________________
Connessione ed e-mail gratuita da 10 mb
consultabile tramite web e tramite pop.
www.infinito.it vieni a scoprire tutti 
i nostri servizi!

http://www.infinito.it/xmail

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: web server in DMZ
  2004-09-28 10:21 web server in DMZ hamals
  2004-09-28 10:40 ` John A. Sullivan III
  2004-09-28 14:17 ` Jason Opperisano
@ 2004-09-28 14:27 ` Jose Maria Lopez
  2 siblings, 0 replies; 8+ messages in thread
From: Jose Maria Lopez @ 2004-09-28 14:27 UTC (permalink / raw)
  To: netfilter@lists.netfilter.org

El mar, 28 de 09 de 2004 a las 12:21, hamals@infinito.it escribió:
> I have a big problem
> 
> I have a web server in my DMZ, I reach it with his 
> internal IP 192.168.1.10 from my internal LAN, but I can't 
> reach them with his public IP.
> 
> I did a DNAT and from internet everythings is ok, my web 
> server is working in right by DNAT.
> 
> Where is the problem?

If you have a public IP in the external NIC of your
server then it should be working OK. I don't know if
you want it to respond directly to Internet or via
DNAT. Anyway it should work as you have it configured.
Check the IP in the external NIC.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"



^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2004-09-29  9:35 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-28 10:21 web server in DMZ hamals
2004-09-28 10:40 ` John A. Sullivan III
2004-09-28 14:17 ` Jason Opperisano
2004-09-28 14:44   ` hamals
2004-09-28 15:03     ` Jason Opperisano
2004-09-28 15:14       ` Marek Dohojda
2004-09-29  9:35         ` hamals
2004-09-28 14:27 ` Jose Maria Lopez

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.