[Firehol-support] webserver on lan

Rick Marshall rjm at zenucom.com
Mon Dec 31 03:49:18 GMT 2007


The best way to solve this is to put the web server and any other 
externally accessed servers on their own subnet.

This is because you cannot use snat/dnat to the same subnet as the 
sending machine - not entirely sure why - it has to do with routing, but 
it doesn't work. The good news is that with modern iptables you can 
overload an interface with 2 ip addresses (so you don't need extra 
ethernet cards). I posted a solution for this earlier - it should show 
up in the searches.


Avin Sigurani wrote:
> I have a web server on an internal machine and forward all web requests
> to this machine.  This works fine for all machines external to the lan,
> but machines on the lan cannot access the web server.  I saw this
> solution:
> snat to "${HOME_MYIP}" \ 
> outface "${HOME_MYIF}" \ 
> src "${HOME_LAN}" dst "${WEBSERVER}" 
> dnat to ${WEBSERVER}:80 \ 
> inface "${HOME_MYIF}" \ 
> src "${HOME_LAN}" \ 
> dst "${PUBLIC_MYIP}" proto tcp dport 80 
> router lan2lan inface "${HOME_MYIF}" outface "${HOME_MYIF}" \ 
> src "${HOME_LAN}" dst "${HOME_LAN}" 
> server http accept 
> server https accept 
> However, I use dyndns and have a dynamic IP address.  How could I do
> this in such a case?  
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support

More information about the Firehol-support mailing list