SUMMARY: Routing internal ports back to LAN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Excuse the late reply.

Thanks to Martin, Seth, Binand, Sean and Flavio for replies.

Rerouting via the firewall back to the inside of the network, although
possible with ipchains, was not a preferred solution since it required
hacks like redir.

With iptables Flavio suggested this should work although I didn't end up
trying it. Quoting him:

<Flavio>
If you decide to switch to iptables, you are going to have to setup two
rules, one to redirect incoming traffic from outside the LAN and the
other
to redirect traffic from inside the LAN.

# Outside traffic:
[0:0] -A PREROUTING -d YOUR_VALID_IP -i eth0 -p tcp -m tcp --dport 110
-j
DNAT --to-destination 192.168.1.XX:110

# Inside traffic:
[0:0] -A POSTROUTING -s 192.168.1.0/24 -d YOUR_VALID_IP -o eth0 -j
SNAT --to-source YOUR_VALID_IP
[0:0] -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o eth1 -j
SNAT --to-source YOUR_VALID_IP 
</Flavio>

A "multiview" DNS setup was by far the most popular solution. Would also
be quicker than going via the firewall to a host that is directly
available on the LAN. Thanks to Seth for his example multiview DNS
setups. TrinityOS also has a bit on dual facing DNS servers. 

Binand suggested TinyDNS which can return different results depending on
the source address. It looked complicated to setup, so I'm going with
bind for now, regardless of it's checkered past in security.

CH



> -----Original Message-----
> From: linuxmanagers-bounces@xxxxxxxxxxxxxxxxx 
> [mailto:linuxmanagers-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of 
> Christian Hack
> Sent: Tuesday, 18 May 2004 8:11 AM
> To: linuxmanagers@xxxxxxxxxxxxxxxxx
> Subject: Routing internal ports back to LAN
> 
> 
> I am trying to route the POP3/IMAP ports on my firewall to an internal
> server.
> 
> Setup is eth0 is the Internet, eth1 is the LAN
> 
> Port mapping from outside the LAN (i.e. mapping ports 143 and 
> 110 from eth0
> to eth1) is no problem and works fine.
> 
> What I want to do is also map 143 and 110 from eth1 back on 
> to the internal
> LAN on eth1. You ask why don't I just connect directly? I 
> have a number of
> users who sometimes use the LAN and sometimes are external. I 
> want to be
> able to set up their mail with one host name accessible via 
> the internet
> _and_ the LAN which always works. Thus they always point at 
> the firewall
> which in turn routes them back to the internal server.
> 
> >From what I understand in Linux this is not normally 
> possible, but I have
> been told Snapgear routers (which run linux) can do this.
> 
> The one option I have found is a dual DNS setup where 
> internally, I point
> particular hosts directly to the internal LAN and externally 
> I point those
> hosts to the firewall. I'd like to be able to do it with port
> forwarding/mapping if possible though.
> 
> Any ideas or is my DNS solution the only one? TIA.
> 
> Now that I have written this I have thought of another 
> solution. I guess I
> could do some LAN card trickery and either add another card 
> (e.g. just route
> from eth1 to eth2 both connected to the same LAN) or setup 
> some kind of
> multihomed setup on the internal LAN card.
> 
> CH
> _______________________________________________
> LinuxManagers mailing list - http://www.linuxmanagers.org
> submissions: LinuxManagers@xxxxxxxxxxxxxxxxx
> subscribe/unsubscribe: 
> http://www.linuxmanagers.org/mailman/listinfo/> linuxmanagers
> 
_______________________________________________
LinuxManagers mailing list - http://www.linuxmanagers.org
submissions: LinuxManagers@xxxxxxxxxxxxxxxxx
subscribe/unsubscribe: http://www.linuxmanagers.org/mailman/listinfo/linuxmanagers

[Index of Archives]     [Kernel]     [Linux SCSI]     [Video 4 Linux]     [Linux Admin]     [Yosemite News]

  Powered by Linux