<br /><p><br /><br /> HI Rick,</p><p> </p><p>thanks very much. I've done a bit of
reading up on the reverse proxy option and it makes a lot of sense.
Thanks very much for the help. Costa was replying to my original
question as well and I gave snatting one last shot on his advice
before going with the reverse proxy and it worked! Here are the rules
that made it happen:</p><p> </p><p> <br />
snat to "${HOME_MYIP}" \<br />
outface "${HOME_MYIF}" \<br />
src "${HOME_LAN}" dst "${WEBSERVER}"</p><p> </p><p>dnat to ${WEBSERVER}:80 \<br />
inface "${HOME_MYIF}" \<br />
src "${HOME_LAN}" \<br />
dst "${PUBLIC_MYIP}" proto tcp dport 80<br />
</p><p> router lan2lan inface "${HOME_MYIF}" outface "${HOME_MYIF}" \<br />
src "${HOME_LAN}" dst "${HOME_LAN}"<br />
server http accept<br />
server https accept<br />
</p><p> </p><p>Thanks again!</p><p>cheers</p><p>Rich <br /></p><br /> <br /><br /><strong>On Fri Oct 5 23:28 , Rick Marshall sent:<br /><br /></strong><blockquote style="border-left: 2px solid rgb(245, 245, 245); margin-left: 5px; margin-right: 0px; padding-left: 5px; padding-right: 0px;">Hi Rich<br />
<br />
I put considerable work into the snat option before realising that it <br />
was going to be too difficult. iptables seems t get confused when you <br />
are trying to do too much with the same subnet. I don't know why, but it <br />
just didn't work.<br />
<br />
More importantly, we host a number of sites on different back end <br />
servers and then have to provide site statistics to all of them.<br />
<br />
This is where the reverse proxy really came into its own. (Using apache <br />
of course ;) - IIS can't do it :( ) The proxy knows the URL that has <br />
been requested and so the a combination of named virtual hosts and <br />
reverse proxy can redirect almost anything reliably to the internal <br />
servers. Including internal traffic. However this does mean that all <br />
internal traffic also goes through the firewall - on sites with high <br />
internal volumes you really don't want this - hence servers with dual <br />
interfaces. The internal servers think the traffic comes from the <br />
firewall so you need to set up site statistics against logs on the <br />
firewall, not the actual servers.<br />
<br />
Google etc for apache reverse proxy - plenty of online help and discussion.<br />
<br />
Here is a snippet from one of our apache setups:<br />
<br />
<br />
ServerName <a target="_blank" href="parse.pl?redirect=http://www.rmkshoes.com.au">www.rmkshoes.com.au</a><br />
ServerAlias rmkshoes.com.au <a target="_blank" href="parse.pl?redirect=http://www.rmkshoes.com">www.rmkshoes.com</a> rmkshoes.com<br />
ServerAdmin <a href="javascript:top.opencompose('root@cadetshoes.com.au','','','')">root@cadetshoes.com.au</a><br />
ErrorLog logs/rmkshoes.com.au-error_log<br />
CustomLog logs/rmkshoes.com.au-access_log combined<br />
ProxyPreserveHost On<br />
<br />
ProxyPass <a target="_blank" href="parse.pl?redirect=http%3A%2F%2F192.168.1.153%2F">http://192.168.1.153/</a><br />
ProxyPassReverse <a target="_blank" href="parse.pl?redirect=http%3A%2F%2F192.168.1.153%2F">http://192.168.1.153/</a><br />
<br />
<br />
<br />
Also please note that this does not solve the problem for mail servers <br />
on the same internal subnet.<br />
<br />
Option b) as I said is to overload the ip address on an interface card.<br />
<br />
To do this set the ip address on the web/mail server to a different <br />
subnet eg 192.168.1.0/24. Then in firehol on the firewall add the ip <br />
commands to add addresses to an interface (in addition to the default <br />
address present when the firewall starts):<br />
<br />
eg<br />
<br />
ip addr add 192.168.1.1 dev eth0<br />
ip route add 192.168.1.0/24 dev eth0<br />
<br />
You can have 2 interface definitions for the same interface ! and then <br />
redirect traffic accordingly. This is an effective strategy. Here is the <br />
firehol.conf from one of my smaller sites:<br />
In this case I have made sure that the intranet comes up correctly and <br />
then overlay the internet onto the (single) ethernet adapter. Physically <br />
there is a satellite link connected to my switch along with the <br />
server/firewall and a wireless switch.<br />
<br />
We're now using this in small shop setups too so that we can use <br />
standard IBM POS units with multiple subregisters.<br />
<br />
Anyway I hope this helps you and others.<br />
<br />
Regards<br />
Rick<br />
<br />
#<br />
# $Id: office.conf,v 1.4 2002/12/31 15:44:34 ktsaou Exp $<br />
#<br />
# CASE:<br />
# Firewall for a host with only one Ethernet interface connected to<br />
# a LAN where the traffic coming in is:<br />
#<br />
# source 10.0.0.0/16 intranet traffic<br />
# any other source internet traffic<br />
#<br />
# The host can reach the internet via a gateway that SNATs the fake<br />
# address this host has to its Ethernet interface to a real one.<br />
# We assume that this NAT is bi-directional, meaning that the<br />
# gateway will DNAT requests sent from the internet to the real IP<br />
# of our host in order to enter the intranet and reach our server.<br />
#<br />
# If this NAT is not bi-directional (only SNAT but no DNAT), then<br />
# the 'internet' and 'trusted' services bellow will simply not<br />
# work (FireHOL will not complain).<br />
#<br />
# SOLUTION:<br />
# The following FireHOL configuration script assumes there are a few<br />
# network zones with different roles:<br />
#<br />
# intranet our company's intranet<br />
# department our department within the intranet<br />
# personal our PCs within the company<br />
# internet the whole internet<br />
# trusted computers on the internet we need to provide<br />
# services to<br />
#<br />
# For each of the above, there are two definitions:<br />
# 1. The IP addresses or address space<br />
# 2. The services they can access on this host.<br />
#<br />
# If you want to disable something, simply comment out or empty the<br />
# variables defined for this.<br />
#<br />
# Other notes:<br />
# - idents are rejected<br />
# - our host is also a workstation that can run any client<br />
# - our host does not route any traffic<br />
<br />
version 5<br />
<br />
# ----------------------------------------------------------------------<br />
# Definitions<br />
# ----------------------------------------------------------------------<br />
<br />
# The network the company's intranet is using<br />
ip addr add 61.88.230.142 dev eth0<br />
ip route add 61.88.230.140/30 dev eth0<br />
ip route add default via 61.88.230.141<br />
intranet="192.168.12.0/24"<br />
intranet_servers="icmp http smtp dns dhcp cups ssh samba"<br />
<br />
# The rest of the traffic is internet.<br />
# Define here the servers for the internet traffic, if any<br />
internet="61.88.230.142"<br />
internet_if="eth0"<br />
internet_servers="icmp smtp ssh dns"<br />
<br />
# How many requests per second should we allow?<br />
intranet_requests="50/sec"<br />
internet_requests="10/sec"<br />
<br />
# New servers<br />
<br />
server_drop_ports="tcp/135 udp/1025:65535 tcp/1025:65535"<br />
client_drop_ports="default"<br />
<br />
# NAT<br />
<br />
snat to "${internet}" outface "${internet_if}" src "${intranet}" dst not <br />
"${UNROUTABLE_IPS}"<br />
<br />
# TCPMSS<br />
<br />
tcpmss 256<br />
<br />
# TRANSPARENT PROXY<br />
<br />
#proxy_port=""<br />
<br />
# Setup a transparent proxy on this host.<br />
#if [ ! -z "${proxy_port}" ]<br />
#then<br />
# iptables -t nat -A PREROUTING -s ${intranet} -p tcp --dport 80 <br />
-j REDIRECT --to-port ${proxy_port}<br />
#fi<br />
<br />
# ----------------------------------------------------------------------<br />
# Normally, you don't have to do anything bellow this point.<br />
# ----------------------------------------------------------------------<br />
<br />
# The intranet<br />
interface eth0 intranet src "${intranet}"<br />
policy reject # be friendly to the intranet to prevent timeouts<br />
<br />
protection strong ${intranet_requests}<br />
<br />
# Servers for the company's intranet<br />
if [ ! -z "${intranet_servers}" ]<br />
then<br />
server "${intranet_servers}" accept<br />
fi<br />
<br />
# Prevent ident from timing out<br />
server ident reject with tcp-reset<br />
<br />
# This is an Intranet workstation<br />
client all accept # To have good accounting, this should <br />
be last.<br />
<br />
# The internet<br />
interface eth0 internet src not "${intranet} ${UNROUTABLE_IPS}"<br />
policy drop # this is also the default<br />
<br />
protection strong ${internet_requests}<br />
<br />
# Public internet servers<br />
if [ ! -z "${internet_servers}" ]<br />
then<br />
server "${internet_servers}" accept<br />
fi<br />
<br />
# Servers for our trusted PCs<br />
if [ ! -z "${trusted}" -a ! -z "${trusted_servers}" ]<br />
then<br />
server "${trusted_servers}" accept src "${trusted}"<br />
fi<br />
<br />
# Prevent ident from timing out<br />
server ident reject with tcp-reset<br />
<br />
# Get rid of other crap<br />
server "drop" drop<br />
server "samba" drop<br />
<br />
# This is an Internet workstation too<br />
client all accept # To have good accounting, this should <br />
be last.<br />
<br />
# <br />
----------------------------------------------------------------------------<br />
# PROTECT ROUTING<br />
# <br />
----------------------------------------------------------------------------<br />
# Protect the LAN...<br />
<br />
# Route traffic for the clients on the LAN<br />
router internet2lan inface "${internet_if}" outface "eth0" src not <br />
"${UNROUTABLE_IPS}" dst "${intranet}"<br />
<br />
# route all client traffic<br />
client all accept<br />
<br />
router lan2internet inface "eth0" outface "${internet_if}"<br />
route all accept<br />
<br />
<br />
<br />
<br />
<br />
<a href="javascript:top.opencompose('rich@thevillas.eclipse.co.uk','','','')">rich@thevillas.eclipse.co.uk</a> wrote:<br />
><br />
><br />
><br />
> Thanks Rick, great help. I think the reverse proxy sounds like a great <br />
> idea and looks simple to implement. I need the webserver to be on the <br />
> same subnet as the lan.<br />
><br />
> Did you attempt the snat option or did you just go straight for one of <br />
> the 3 below? I'm puzzled as to why it won't work for me.<br />
><br />
> cheers<br />
><br />
> Rich<br />
><br />
> *On Wed Oct 3 21:10 , Rick Marshall sent:<br />
><br />
> *<br />
><br />
> Hi Rich<br />
><br />
> Minor note - your LAN is 192.168.0.0/24 - but this doesn't affect the<br />
> rest of your problem.<br />
><br />
> I have this scenario working well, but I have done it using one of<br />
> three<br />
> tricks.<br />
><br />
> 1. Extra address. Put the web server on a different subnet - say<br />
> 192.168.1.... You can overload the IP addresses on the firewall to<br />
> access the web server through the same interface card.<br />
><br />
> 2. Run a copy of apache on the firewall and use ReverseProxy to<br />
> access<br />
> the internal web server. If you do this you need to run your web site<br />
> stats program on the firewall.<br />
><br />
> 3. More complex setup for a busy office puts the web server in a DMZ<br />
> with 2 interface cards, run a second name server to give internal<br />
> addresses to internal machines which are on the internal lan and<br />
> run a<br />
> third interface card on the firewall to keep the traffic separated.<br />
><br />
> Regards<br />
> Rick<br />
><br />
> <a href="javascript:top.opencompose('rich@thevillas.eclipse.co.uk','','','')">rich@thevillas.eclipse.co.uk</a><br />
> <a href="javascript:top.opencompose('rich@thevillas.eclipse.co.uk','','','')">rich@thevillas.eclipse.co.uk</a>','','','')><br />
> wrote:<br />
> ><br />
> > Hi,<br />
> > I have a LAN that accesses the internet through a single firewall<br />
> > machine which has 2 network cards.<br />
> > I use SNAT to give all of my LAN machines the static external IP of<br />
> > this firewall machine when they venture out.<br />
> > For internet traffic coming in to the firewall i use DNAT to<br />
> forward<br />
> > it to my webserver on the LAN.<br />
> ><br />
> > So, assuming that:<br />
> ><br />
> > 1) my LAN has private addresses:<br />
> > 192.168.0.0/16<br />
> > 2) my firewall has the external internet-visible address:<br />
> > x.x.x.x<br />
> > 3) my firewall has the internal LAN-visible address:<br />
> > 192.168.0.18<br />
> > 4) my webserver has my LAN private address:<br />
> > 192.168.0.11<br />
> ><br />
> > I have an iptables DNAT (destination nat) rule to redirect<br />
> traffic thus:<br />
> > tcp x.x.x.x:80 -> 192.168.0.11:80<br />
> ><br />
> > However whilst this is lovely for external clients, it doesn't<br />
> work for<br />
> > my LAN because:<br />
> > a) LAN client 192.168.0.Y contacts x.x.x.x via the default<br />
> > route (the firewall).<br />
> > b) firewall DNATs the connection to LAN webserver destination<br />
> > 192.168.1.110 but leaves the source address unchanged as 192.168.0.Y<br />
> > c) LAN webserver 192.168.0.11 replies direct to LAN client<br />
> > 192.168.0.Y because it is on the same network, but LAN client wasn't<br />
> > talking to 192.168.0.11 when it started the connection and therefore<br />
> > ignores these packets.<br />
> ><br />
> > I think I should be able to simply rewrite the source address in<br />
> (b)<br />
> > to the internal<br />
> > address of my firewall so that all replies from the webserver come<br />
> > back via the firewall and can be correctly de-mangled. In other<br />
> words<br />
> > all communiction between LAN clients and my webserver will be<br />
> > dog-legged via the firewall.<br />
> ><br />
> > BUT, this doesn't work with my current firehol config.<br />
> > Please please could someone point out where my config is wrong?<br />
> > I have spent hours and hours one this but can't figure it out<br />
> ><br />
> > Thanks in advance<br />
> > #####################CONFIG BELOW######################<br />
> ><br />
> ><br />
> > # The definition of our HOME LAN.<br />
> > HOME_MYIP="192.168.0.18" # The IP on our HOME LAN<br />
> > HOME_MYIF="eth1" # The HOME LAN interface<br />
> > HOME_BCAST="192.168.1.255" # The HOME LAN broadcast<br />
> > HOME_LAN="192.168.1.0/255.255.255.0" # The HOME LAN<br />
> > HOME_SERVICES="all"<br />
> ><br />
> > HOME_DHCP=0 # Set to 0 to disable<br />
> ><br />
> ><br />
> > # --- PUBLIC ---<br />
> ><br />
> > # The definition of our PUBLIC interface.<br />
> > PUBLIC_MYIP="x.x.x.x" # Leave empty for dynamic IP<br />
> > PUBLIC_MYIF="eth0" # The public interface<br />
> > PUBLIC_SERVICES="ssh http https"<br />
> ><br />
> > # Is the PPP interface a DIAL-ON-DEMAND?<br />
> > DIAL_ON_DEMAND=0 # Set to 0 to disable<br />
> ><br />
> ><br />
> > # --- TRUSTED ---<br />
> ><br />
> > # Hosts in the internet I trust for accessing private services<br />
> > # Empty these to disable.<br />
> > TRUSTED_IPS=""<br />
> > TRUSTED_SERVICES=""<br />
> ><br />
> ><br />
> ><br />
> > # --- BLACKLIST ---<br />
> ><br />
> > # A space-separated list of IPs to be blocked.<br />
> > blacklist=""<br />
> ><br />
> ><br />
> > #<br />
> ><br />
> ----------------------------------------------------------------------------<br />
> > # HELPERS<br />
> > #<br />
> ><br />
> ----------------------------------------------------------------------------<br />
> ><br />
> > # Block all traffic from/to certain IPs<br />
> > if [ ! -z "${blacklist}" ]<br />
> > then<br />
> > blacklist full "${blacklist}"<br />
> > fi<br />
> ><br />
> ><br />
> ><br />
> > #<br />
> ><br />
> ----------------------------------------------------------------------------<br />
> > # NETWORK ADDRESS TRANSLATION<br />
> > #<br />
> ><br />
> ----------------------------------------------------------------------------<br />
> > # Change the source/destination of packets...<br />
> ><br />
> > # Should we do SNAT or MASQUERADE?<br />
> > # If there is a PUBLIC_MYIP defined, we should do SNAT,<br />
> otherwise MASQ.<br />
> > #<br />
> > if [ ! -z "${PUBLIC_MYIP}" ]<br />
> > then<br />
> ><br />
> > snat to "${PUBLIC_MYIP}" \<br />
> > outface "${PUBLIC_MYIF}" \<br />
> > src "${HOME_LAN}" dst not "${UNROUTABLE_IPS}"<br />
> ><br />
> > snat to "${HOME_MYIP}" \<br />
> > outface "${HOME_MYIF}" \<br />
> > src "${HOME_LAN}" dst "${PUBLIC_MYIP}"<br />
> ><br />
> > else<br />
> > masquerade "${PUBLIC_MYIF}"<br />
> > fi<br />
> ><br />
> ><br />
> > # To have some public service hit an internal machine, do this:<br />
> ><br />
> > dnat to 192.168.0.11:80 \<br />
> > inface "${PUBLIC_MYIF}" \<br />
> > src not "${HOME_LAN} ${UNROUTABLE_IPS}" \<br />
> > proto tcp dport 80<br />
> ><br />
> ><br />
> ><br />
> > #<br />
> ><br />
> ----------------------------------------------------------------------------<br />
> > # PROTECT SELF<br />
> > #<br />
> ><br />
> ----------------------------------------------------------------------------<br />
> > # Protect the firewall host...<br />
> ><br />
> > # --- HOME ---<br />
> ><br />
> > # Protect us from the HOME LAN<br />
> > interface "${HOME_MYIF}" home src "${HOME_LAN}" dst "${HOME_MYIP}<br />
> > ${HOME_BCAST}"<br />
> > policy reject<br />
> ><br />
> > server "${HOME_SERVICES}" accept<br />
> ><br />
> > client all accept<br />
> ><br />
> ><br />
> > # DHCP needs 0.0.0.0/255.255.255.255 access.<br />
> > if [ ${HOME_DHCP} -eq 1 ]<br />
> > then<br />
> > interface "${HOME_MYIF}" dhcp<br />
> > server dhcp accept<br />
> > fi<br />
> ><br />
> ><br />
> > # --- PUBLIC ---<br />
> ><br />
> > # Protect us from the PUBLIC<br />
> > interface "${PUBLIC_MYIF}" internet \<br />
> > src not "${UNROUTABLE_IPS}" \<br />
> > `test ! -z "${PUBLIC_MYIP}" && echo "dst '${PUBLIC_MYIP}'"`<br />
> ><br />
> > protection strong<br />
> > policy drop<br />
> ><br />
> > # Are there any trusted PCs/services?<br />
> > if [ ! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ]<br />
> > then<br />
> > server "${TRUSTED_SERVICES}" accept src "${TRUSTED_PCS}"<br />
> > fi<br />
> ><br />
> > server "${PUBLIC_SERVICES}" accept<br />
> ><br />
> > client all accept<br />
> ><br />
> > # DIAL-ON-DEMAND needs this in case there is a PUBLIC_MYIP defined.<br />
> > if [ ${DIAL_ON_DEMAND} -eq 1 ]<br />
> > then<br />
> > interface "${PUBLIC_MYIF}" dialup<br />
> > client all accept<br />
> > fi<br />
> ><br />
> ><br />
> > #<br />
> ><br />
> ----------------------------------------------------------------------------<br />
> > # PROTECT ROUTING<br />
> > #<br />
> ><br />
> ----------------------------------------------------------------------------<br />
> > # Protect the LAN...<br />
> ><br />
> > # Route traffic for the clients on the LAN<br />
> > router internet2lan inface "${PUBLIC_MYIF}" outface "${HOME_MYIF}" \<br />
> > src not "${UNROUTABLE_IPS}" dst "${HOME_LAN}"<br />
> ><br />
> > # route all client traffic<br />
> > client all accept<br />
> ><br />
> > # For the dnat example above, this is needed:<br />
> > server http accept dst 192.168.0.11<br />
> ><br />
> ><br />
> ><br />
> ------------------------------------------------------------------------<br />
> ><br />
> ><br />
> -------------------------------------------------------------------------<br />
> > This SF.net email is sponsored by: Splunk Inc.<br />
> > Still grepping through log files to find problems? Stop.<br />
> > Now Search log events and configuration files using AJAX and a<br />
> browser.<br />
> > Download your FREE copy of Splunk now >> <a target="_blank" href="parse.pl?redirect=http%3A%2F%2Fget.splunk.com%2F">http://get.splunk.com/</a><br />
> <br />
> ><br />
> ------------------------------------------------------------------------<br />
> ><br />
> > _______________________________________________<br />
> > Firehol-support mailing list<br />
> > <a href="javascript:top.opencompose('Firehol-support@lists.sourceforge.net','','','')">Firehol-support@lists.sourceforge.net</a><br />
> <a href="javascript:top.opencompose('Firehol-support@lists.sourceforge.net','','','')">Firehol-support@lists.sourceforge.net</a>','','','')><br />
> > <a target="_blank" href="parse.pl?redirect=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Ffirehol-support">https://lists.sourceforge.net/lists/listinfo/firehol-support</a><br />
> <br />
> ><br />
><br />
><br />
> ------------------------------------------------------------------------<br />
><br />
> -------------------------------------------------------------------------<br />
> This SF.net email is sponsored by: Splunk Inc.<br />
> Still grepping through log files to find problems? Stop.<br />
> Now Search log events and configuration files using AJAX and a browser.<br />
> Download your FREE copy of Splunk now >> <a target="_blank" href="parse.pl?redirect=http%3A%2F%2Fget.splunk.com%2F">http://get.splunk.com/</a><br />
> ------------------------------------------------------------------------<br />
><br />
> _______________________________________________<br />
> Firehol-support mailing list<br />
> <a href="javascript:top.opencompose('Firehol-support@lists.sourceforge.net','','','')">Firehol-support@lists.sourceforge.net</a><br />
> <a target="_blank" href="parse.pl?redirect=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Ffirehol-support">https://lists.sourceforge.net/lists/listinfo/firehol-support</a><br />
> <br />
</blockquote>
<BR>