[Firehol-support] webserver on lan

Avin Sigurani embiopterid at gmail.com
Mon Dec 31 05:19:14 GMT 2007


Thank you, that is helpful.  I was not aware of that.
  
When you speak of the solution you posted, are you talking about the
thread at
http://sourceforge.net/mailarchive/forum.php?thread_name=63jqje%
242s1f63%40venus.eclipse.kcom.com&forum_name=firehol-support ?
If so, I think there may be a problem for me in the line:
dst "${PUBLIC_MYIP}" proto tcp dport 80
in the dnat rule.  I don't have a static IP, so includeing
"${PUBLIC_MYIP}" in the rule means it would have to be changed every
time my ip changed, right?  But how else do I differentiate traffic
going to external sites and traffic going to the web server on my
network?

Also, I went to
http://sourceforge.net/mailarchive/forum.php?forum_name=firehol-support , but every search I tried produced 0 results, even for subjects I new existed in a particular thread.  Where do I go to search the mailing list archives?



On Mon, 2007-12-31 at 14:49 +1100, Rick Marshall wrote:
> hi
> 
> The best way to solve this is to put the web server and any other 
> externally accessed servers on their own subnet.
> 
> This is because you cannot use snat/dnat to the same subnet as the 
> sending machine - not entirely sure why - it has to do with routing,
but 
> it doesn't work. The good news is that with modern iptables you can 
> overload an interface with 2 ip addresses (so you don't need extra 
> ethernet cards). I posted a solution for this earlier - it should
show 
> up in the searches.
> 
> Regards
> Rick
> 
> Avin Sigurani wrote:
> > I have a web server on an internal machine and forward all web
requests
> > to this machine.  This works fine for all machines external to the
lan,
> > but machines on the lan cannot access the web server.  I saw this
> > solution:
> >
> > snat to "${HOME_MYIP}" \ 
> > outface "${HOME_MYIF}" \ 
> > src "${HOME_LAN}" dst "${WEBSERVER}" 
> >  
> >  
> > dnat to ${WEBSERVER}:80 \ 
> > inface "${HOME_MYIF}" \ 
> > src "${HOME_LAN}" \ 
> > dst "${PUBLIC_MYIP}" proto tcp dport 80 
> >  
> >  
> > router lan2lan inface "${HOME_MYIF}" outface "${HOME_MYIF}" \ 
> > src "${HOME_LAN}" dst "${HOME_LAN}" 
> > server http accept 
> > server https accept 
> >  
> >
> > However, I use dyndns and have a dynamic IP address.  How could I do
> > this in such a case?  
> >
> >
> >
-------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2005.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > _______________________________________________
> > Firehol-support mailing list
> > Firehol-support at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/firehol-support
> >
> >   






More information about the Firehol-support mailing list