IPTABLES Difficulties

IPTABLES Difficulties

[Anthony R. Vallario]

[-- Attachment #1: Type: text/plain, Size: 910 bytes --]

To whom it may concern;
            I have an iptables NAT box setup on Redhat 9.0. I recently added a box behind the firewall that will act as a web server. I didn't want to do a DMZ as money is tight. I used the following rules to get all outside requests on port 80 to the web server inside:

-A PREROUTING -p tcp -i eth0 -d $publicip --dport 80 -j DNAT --to-destination $internalip
-A PREROUTING -p tcp -i eth0 -d $publicip --dport 443 -j DNAT --to-destination $internalip

My only problem is when somebody behind the firewall wants to access this webserver, it doesn't work. I don't want to have to type in the internal ip. I don't want to install an internal dns server. I would like my workstations to be able to type in the FQDN for the webserver and it actually work. If NAT works, why doesn't it go out the firewall and turn right back around and go to the webserver?

Anthony R. Vallario


[-- Attachment #2: Type: text/html, Size: 1617 bytes --]

IPTABLES Difficulties

[Anthony R. Vallario]

[-- Attachment #1: Type: text/plain, Size: 910 bytes --]

To whom it may concern;
            I have an iptables NAT box setup on Redhat 9.0. I recently added a box behind the firewall that will act as a web server. I didn't want to do a DMZ as money is tight. I used the following rules to get all outside requests on port 80 to the web server inside:

-A PREROUTING -p tcp -i eth0 -d $publicip --dport 80 -j DNAT --to-destination $internalip
-A PREROUTING -p tcp -i eth0 -d $publicip --dport 443 -j DNAT --to-destination $internalip

My only problem is when somebody behind the firewall wants to access this webserver, it doesn't work. I don't want to have to type in the internal ip. I don't want to install an internal dns server. I would like my workstations to be able to type in the FQDN for the webserver and it actually work. If NAT works, why doesn't it go out the firewall and turn right back around and go to the webserver?

Anthony R. Vallario    

[-- Attachment #2: Type: text/html, Size: 1665 bytes --]

RE: IPTABLES Difficulties

[George Vieira]

[-- Attachment #1: Type: text/plain, Size: 1718 bytes --]

This has been requested many time in the past. You have to remember that your DNAT rule only applies to outsiders, you must DNAT the inside users as well as you do with them when they browse outside websites you have to MASQUERADE them to your internal one as well..
 

Thanks,

 
____________________________________________
George Vieira
Citadel Computer Systems Pty Ltd Systems Manager georgev AT citadelcomputer DOT com DOT au 
Citadel Computer Systems Pty Ltd
Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698  <http://www.citadelcomputer.com.au/> http://www.citadelcomputer.com.au
 
 
-----Original Message-----
From: Anthony R. Vallario [mailto:avallario@tecmasters.com]
Sent: Monday, August 18, 2003 9:06 AM
To: netfilter@lists.netfilter.org
Subject: IPTABLES Difficulties


To whom it may concern;
            I have an iptables NAT box setup on Redhat 9.0. I recently added a box behind the firewall that will act as a web server. I didn't want to do a DMZ as money is tight. I used the following rules to get all outside requests on port 80 to the web server inside:
 
-A PREROUTING -p tcp -i eth0 -d $publicip --dport 80 -j DNAT --to-destination $internalip
-A PREROUTING -p tcp -i eth0 -d $publicip --dport 443 -j DNAT --to-destination $internalip
 
My only problem is when somebody behind the firewall wants to access this webserver, it doesn't work. I don't want to have to type in the internal ip. I don't want to install an internal dns server. I would like my workstations to be able to type in the FQDN for the webserver and it actually work. If NAT works, why doesn't it go out the firewall and turn right back around and go to the webserver?
 
Anthony R. Vallario    

[-- Attachment #2: Type: text/html, Size: 5088 bytes --]