Web servers behind nat

Jesse W. Asher jasher1@tampabay.rr.com
Tue, 09 Oct 2001 15:23:00 -0400 

I have similiar problem where I'm DNATing to a web server on a private 
IP address behind my firewall, but I'm using virtual hosting with apache 
and so the name matters.  I need to be able to access the web servers in 
the same way that external boxes do in order to test and troubleshoot. 
 Anyone have any specific directions to solve this problem?

Matt Harrell wrote:

> If you have a dual-zone DNS, it seems like you could fix this by using 
> the internal IP number for the server in DNS for nodes behind the 
> firewall, and the external, redirected IP number for nodes outside the 
> firewall.  That's how my Raptor (Symantec Enterprise Firewall) at work 
> is set up.
>
> ------------
> Matt Harrell
> matt@mattharrell.net
> http://www.mattharrell.net
>
> Richf.Net Security Account wrote:
>
>> I've had this problem with Checkpoint FW-1 based solutions before...the
>> problem is normally due to destination unreachable ICMP packets being
>> generated by the device performing NAT.  Either having the hosts ignore
>> these, or prohibiting the NAT/FW machine from sending them should 
>> solve the
>> problem.
>>
>>
>> ----- Original Message -----
>> From: "Visitor" <visitor@thisbox.com>
>> To: <netfilter@lists.samba.org>
>> Sent: Tuesday, October 09, 2001 12:56 PM
>> Subject: Re: Web servers behind nat
>>
>>
>>> I have this situation and my web server is visible from the Internet.
>>> The problem is that internal users can not see the web server using the
>>> real internet ip address. How do I fix this?
>>>
>>> Thanks,
>>>
>>> Visitor
>>> visitor@thisbox.com
>>>
>>>
>>> Phil Barbier wrote:
>>>
>>>> OK - this is perfectly possible here...
>>>>
>>>> What you need to do is give your existing card that has the real IP 
>>>> some
>>>> more IPs, this is achieved by typing the following
>>>>
>>>> ifconfig <card>:1 <new IP>
>>>>
>>>> eg,
>>>>
>>>> ifconfig eth0:1 192.168.1.1
>>>> ifconfig eth0:2 192.168.1.2
>>>>
>>>> etc. etc.
>>>>
>>>> You can Source NAT it for outbound traffic, you will also need to
>>>> Destination NAT (DNAT) it as well.
>>>>
>>>> Say, your real IP is 1.1.1.1 and your other real IP (for your web 
>>>> server)
>>>>
>> is
>>
>>>> 1.1.1.2 and your internal IP for your NAT box is 10.0.0.1 and your
>>>>
>> internal
>>
>>>> IP for your webserver is 10.0.0.2 you will need the following for web
>>>> service to work.
>>>>
>>>> iptables -t nat -I PREROUTING 1 -j DNAT -s 0.0.0.0/0 --dport 80 -d
>>>>
>> 1.1.1.2
>>
>>>> --to 10.0.0.2
>>>>
>>>> with the eth card of the real IPs already holding both 1.1.1.1 and
>>>>
>> 1.1.1.2
>>
>>>> Hope this is helpful,
>>>>
>>>> Regards,
>>>>
>>>> Phil Barbier.
>>>>
>>>> -- 
>>>> Phil Barbier
>>>> Registered Linux User #227794
>>>> Direct Line + 44 (0) 1782 384652
>>>> Web Developer
>>>> Online-Bills Ltd
>>>> http://www.online-bills.com/
>>>> mailto:p.barbier@online-bills.com?subject=from_email
>>>>
>>>>
>>

-- 
Jesse W. Asher
Virtual Avalon, Inc.

"Security is mostly a superstition.  It does not exist in nature...  Life
is either a daring adventure or it is nothing."  - Helen Keller