web server in DMZ

Marek Dohojda mdohojda at cisco.com
Tue Sep 28 17:14:54 CEST 2004

Just create SNAT to that webserver so that whenever they try to go to 
the external address it get mangled and visible via its internal IP.  Or 
you could play with advance routing wihch is a pain in this case.

Jason Opperisano wrote:
> On Tue, 2004-09-28 at 10:44, hamals at infinito.it wrote:
>>well I think this is a very good solution, but I can't 
>>understand the following:
>>hosts in my LAN go in internet with a snat using x.x.x.50 
>>ip address, and everythings is working; my web server is 
>>accessible from outside, then why my inside hosts can't 
>>access to him (with x.x.x.50 IP)? my hosts should see my 
>>web server like any web server on the net....right?
>>what is wrong in this concept?
> routing.  there's nothing "wrong" with the concept; it's just that when
> you want to alter how normal routing works, you need to understand it in
> order to break it.
> -j

More information about the netfilter mailing list