Re: question squid + firewall + http server inside firewall

Thu, 05 Jun 2003 01:35:20 -0500 

Michael,
unfortunately, that didnt work. Your logic makes sense. Below is the output of the relavant lines: iptables -L -t nat 

any other ideas would be great!

SNAT tcp -- 192.168.1.0/24 [internalhost] tcp dpt:www to:65.30.34.80

Michael Sharman wrote:

-----Original Message-----
From: Hanasaki JiJi [mailto:[EMAIL PROTECTED]
Sent: Thursday, 5 June 2003 2:42 PM
To: List - Debian Security
Subject: question squid + firewall + http server inside firewall



I have the below rules in my firewall.  the http server is inside the 
firewall on  192.168.1.2:80

        people can hit it fine from the outside
        squid is running on the firewall
        inside can browser ouside via squid just fine
        inside cannot browse the outside address

Any thought/input would be appreciated.

# http server
$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \
        -s 0/0 --dport http \
        -j DNAT --to-destination 192.168.1.2:80
$PROG -t mangle -A FORWARD -i $NIC_EXTERNAL -s 0/0 \
        -o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport http \
        -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT




I've experienced a similar problem getting NAT'd external IPs to work internally. 


The problem arose because whilst the destination address of a packet is being 
translated through DNAT the source address still remains untranslated as the 
internal adddess. This means that the returning packet was being sent to the 
internal address directly without passing through the firewall, thus to the 
internal machine it appears to originate from the internal IP and will be 
discarded because it isn't part of the TCP connection.

To remedy this you need a iptables rule to translate the source address of 
internal packets destined for the external address of the internal server to be 
the firewall machine's IP.

For example add a rule like:

    iptables -t nat -A POSTROUTING -o $NIC_INTERNAL -p tcp \
                -s 192.168.1.0/24 -d 192.168.1.2 --dport http \
                -j SNAT --to-source $FIREWALL_IP

This way the internal http server will be sending it's responses to the 
firewall and NAT will be able to translate the addresses to correctly respond 
to the original packet.

I hope this helps; it's been a while since I had this problem and this is all 
from memory.

Regards,

Michael



--
=================================================================
= Management is doing things right; leadership is doing the     =
=       right things.    - Peter Drucker                        =
=_______________________________________________________________=
=     http://www.sun.com/service/sunps/jdc/javacenter.pdf       =
=  www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone  =
=================================================================























					Reply via email to