* web server in DMZ
@ 2004-09-28 10:21 hamals
2004-09-28 10:40 ` John A. Sullivan III
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: hamals @ 2004-09-28 10:21 UTC (permalink / raw)
To: netfilter
I have a big problem
I have a web server in my DMZ, I reach it with his
internal IP 192.168.1.10 from my internal LAN, but I can't
reach them with his public IP.
I did a DNAT and from internet everythings is ok, my web
server is working in right by DNAT.
Where is the problem?
_______________________________________
Connessione ed e-mail gratuita da 10 mb
consultabile tramite web e tramite pop.
www.infinito.it vieni a scoprire tutti
i nostri servizi!
http://www.infinito.it/xmail
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: web server in DMZ
2004-09-28 10:21 web server in DMZ hamals
@ 2004-09-28 10:40 ` John A. Sullivan III
2004-09-28 14:17 ` Jason Opperisano
2004-09-28 14:27 ` Jose Maria Lopez
2 siblings, 0 replies; 8+ messages in thread
From: John A. Sullivan III @ 2004-09-28 10:40 UTC (permalink / raw)
To: hamals; +Cc: netfilter
On Tue, 2004-09-28 at 06:21, hamals@infinito.it wrote:
> I have a big problem
>
> I have a web server in my DMZ, I reach it with his
> internal IP 192.168.1.10 from my internal LAN, but I can't
> reach them with his public IP.
>
> I did a DNAT and from internet everythings is ok, my web
> server is working in right by DNAT.
>
> Where is the problem?
<snip>
There could be several causes. Did you remember to bind the public
address to the public firewall NIC so that it responds to ARP requests?
For example, if the firewall is at 1.1.1.2 and you want the web server
to be at 1.1.1.3 then do
ip add address 1.1.1.3/24(or whatever the mask bit count is) dev eth0(or
whatever the device name is) brd +
You can find a short slide show on using the ip command at
http://iscs.sourceforge.net
Good luck - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: web server in DMZ
2004-09-28 10:21 web server in DMZ hamals
2004-09-28 10:40 ` John A. Sullivan III
@ 2004-09-28 14:17 ` Jason Opperisano
2004-09-28 14:44 ` hamals
2004-09-28 14:27 ` Jose Maria Lopez
2 siblings, 1 reply; 8+ messages in thread
From: Jason Opperisano @ 2004-09-28 14:17 UTC (permalink / raw)
To: netfilter
On Tue, 2004-09-28 at 06:21, hamals@infinito.it wrote:
> I have a big problem
>
> I have a web server in my DMZ, I reach it with his
> internal IP 192.168.1.10 from my internal LAN, but I can't
> reach them with his public IP.
>
> I did a DNAT and from internet everythings is ok, my web
> server is working in right by DNAT.
>
> Where is the problem?
are you asking how to connect to the web server from the inside by its
public IP address? if so, you just need another DNAT rule, probably:
iptables -t nat -A PREROUTING -i $INSIDE_IF -p tcp -d $WWW_PUB_IP \
--dport 80 -j DNAT --to-destination 192.168.1.10
-j
--
Jason Opperisano <opie@817west.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: web server in DMZ
2004-09-28 10:21 web server in DMZ hamals
2004-09-28 10:40 ` John A. Sullivan III
2004-09-28 14:17 ` Jason Opperisano
@ 2004-09-28 14:27 ` Jose Maria Lopez
2 siblings, 0 replies; 8+ messages in thread
From: Jose Maria Lopez @ 2004-09-28 14:27 UTC (permalink / raw)
To: netfilter@lists.netfilter.org
El mar, 28 de 09 de 2004 a las 12:21, hamals@infinito.it escribió:
> I have a big problem
>
> I have a web server in my DMZ, I reach it with his
> internal IP 192.168.1.10 from my internal LAN, but I can't
> reach them with his public IP.
>
> I did a DNAT and from internet everythings is ok, my web
> server is working in right by DNAT.
>
> Where is the problem?
If you have a public IP in the external NIC of your
server then it should be working OK. I don't know if
you want it to respond directly to Internet or via
DNAT. Anyway it should work as you have it configured.
Check the IP in the external NIC.
--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: web server in DMZ
2004-09-28 14:17 ` Jason Opperisano
@ 2004-09-28 14:44 ` hamals
2004-09-28 15:03 ` Jason Opperisano
0 siblings, 1 reply; 8+ messages in thread
From: hamals @ 2004-09-28 14:44 UTC (permalink / raw)
To: netfilter
On Tue, 28 Sep 2004 10:17:29 -0400
Jason Opperisano <opie@817west.com> wrote:
>
> are you asking how to connect to the web server from the
>inside by its
> public IP address?
yes
>if so, you just need another DNAT
>rule, probably:
>
> iptables -t nat -A PREROUTING -i $INSIDE_IF -p tcp -d
>$WWW_PUB_IP \
> --dport 80 -j DNAT --to-destination 192.168.1.10
>
> -j
>
> --
> Jason Opperisano <opie@817west.com>
>
>
well I think this is a very good solution, but I can't
understand the following:
hosts in my LAN go in internet with a snat using x.x.x.50
ip address, and everythings is working; my web server is
accessible from outside, then why my inside hosts can't
access to him (with x.x.x.50 IP)? my hosts should see my
web server like any web server on the net....right?
what is wrong in this concept?
_______________________________________
Connessione ed e-mail gratuita da 10 mb
consultabile tramite web e tramite pop.
www.infinito.it vieni a scoprire tutti
i nostri servizi!
http://www.infinito.it/xmail
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: web server in DMZ
2004-09-28 14:44 ` hamals
@ 2004-09-28 15:03 ` Jason Opperisano
2004-09-28 15:14 ` Marek Dohojda
0 siblings, 1 reply; 8+ messages in thread
From: Jason Opperisano @ 2004-09-28 15:03 UTC (permalink / raw)
To: netfilter
On Tue, 2004-09-28 at 10:44, hamals@infinito.it wrote:
> well I think this is a very good solution, but I can't
> understand the following:
>
> hosts in my LAN go in internet with a snat using x.x.x.50
> ip address, and everythings is working; my web server is
> accessible from outside, then why my inside hosts can't
> access to him (with x.x.x.50 IP)? my hosts should see my
> web server like any web server on the net....right?
> what is wrong in this concept?
routing. there's nothing "wrong" with the concept; it's just that when
you want to alter how normal routing works, you need to understand it in
order to break it.
-j
--
Jason Opperisano <opie@817west.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: web server in DMZ
2004-09-28 15:03 ` Jason Opperisano
@ 2004-09-28 15:14 ` Marek Dohojda
2004-09-29 9:35 ` hamals
0 siblings, 1 reply; 8+ messages in thread
From: Marek Dohojda @ 2004-09-28 15:14 UTC (permalink / raw)
To: Jason Opperisano; +Cc: netfilter
Just create SNAT to that webserver so that whenever they try to go to
the external address it get mangled and visible via its internal IP. Or
you could play with advance routing wihch is a pain in this case.
Jason Opperisano wrote:
> On Tue, 2004-09-28 at 10:44, hamals@infinito.it wrote:
>
>>well I think this is a very good solution, but I can't
>>understand the following:
>>
>>hosts in my LAN go in internet with a snat using x.x.x.50
>>ip address, and everythings is working; my web server is
>>accessible from outside, then why my inside hosts can't
>>access to him (with x.x.x.50 IP)? my hosts should see my
>>web server like any web server on the net....right?
>>what is wrong in this concept?
>
>
> routing. there's nothing "wrong" with the concept; it's just that when
> you want to alter how normal routing works, you need to understand it in
> order to break it.
>
> -j
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: web server in DMZ
2004-09-28 15:14 ` Marek Dohojda
@ 2004-09-29 9:35 ` hamals
0 siblings, 0 replies; 8+ messages in thread
From: hamals @ 2004-09-29 9:35 UTC (permalink / raw)
To: Marek Dohojda; +Cc: netfilter
On Tue, 28 Sep 2004 08:14:54 -0700
Marek Dohojda <mdohojda@cisco.com> wrote:
> Just create SNAT to that webserver so that whenever they
>try to go to the external address it get mangled and
>visible via its internal IP. Or you could play with
>advance routing wihch is a pain in this case.
I've just create a snat for my internal hosts so they go
to outside with a public ip, but this solutions is not
working.
_______________________________________
Connessione ed e-mail gratuita da 10 mb
consultabile tramite web e tramite pop.
www.infinito.it vieni a scoprire tutti
i nostri servizi!
http://www.infinito.it/xmail
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2004-09-29 9:35 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-28 10:21 web server in DMZ hamals
2004-09-28 10:40 ` John A. Sullivan III
2004-09-28 14:17 ` Jason Opperisano
2004-09-28 14:44 ` hamals
2004-09-28 15:03 ` Jason Opperisano
2004-09-28 15:14 ` Marek Dohojda
2004-09-29 9:35 ` hamals
2004-09-28 14:27 ` Jose Maria Lopez
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.