It works, but did I do it right?
Config is as follows
eth0 -> Internet 22.44.66.x IP's
eth1 -> DMZ 10.0.0.x IP's
eth2 -> LAN 10.0.1.x IP's
ppp+ -> VPN 10.0.2.x IP's
Below is what we did to make a machine work in the DMZ. We are
defining "work" very loosly.
# Route everything coming in on 22.x.x.141 to 10.0.0.141. This works
fine
[0:0]-A PREROUTING -d 22.44.66.141 -j DNAT --to-destination 10.0.0.141
# notice the double rule here. look at the explanation below
[0:0] -A POSTROUTING -o eth0 -s 10.0.0.141 -j SNAT --to-source
22.44.66.141
[0:0] -A POSTROUTING -d 10.0.0.141 -s 10.0.0.141 -j SNAT --to-source
22.44.66.141
# Generic address for going out through
[0:0] -A POSTROUTING -o eth0 -j SNAT --to-source 22.44.66.254
# So firewall can hit the DMZ machine using the external IP
[0:0] -A OUTPUT -d 22.44.66.141 -j DNAT --to-destination 10.0.0.141
If we logged into machine 10.0.0.141 and ping'ed 10.0.0.141 it would
work just fine but pinging 22.44.66.141 would then fail. Traceroute
would fail as well. Looking into the firewall server log we would
find that 10.0.0.141 was going directly to 10.0.0.141. It wasn't
violating a rule or anything, it just didn't work. (enabled general
logging for firewall for diagnostics)
So we changed rule "-A POSTROUTING -eth0 -s 10.0.0.141 -j SNAT
--to-source 22.44.66.141" to "-A POSTROUTING -s 10.0.0.141 -j SNAT
--to-source 22.44.66.141". We could now successfully ping the machine
by using the external IP pointing to the same machine. Remember, we
are ping from 10.0.0.141 to 22.44.66.141. But then another odditity
occured. The machine could no longer ping anything on any of the ppp+
nodes. These are VPN connections. It could ping anything on the eth2
LAN that was allowable by filtering rules.
So, I added that -d 10.0.0141 -s 10.0.0.141 and restablished the
original rule. It all works great but...
I have to do this for 128 IP, which means a bunch of cut and pasting
(actually I wrote a 4 line php script to cheat) but this looks like a
nasty work around to get it to work.
Shouldn't I be able to accomplish this better? The problem is that
many DNS addresses point to the external interface. Sicne we have no
control over the
DNS process we cannot change this. So, when a machine is looking to
itself for a resource it might have to do it by domain name and then
the process breaks down because of the above problem.
Yet, no matter which rule we have in place the server on 10.0.0.140
can ping both 10.0.0.141 and 22.44.66.141. It only happens when a
machine tries to ping its own external IP.
Gary Smith
|
Similar Threads
Linear Mode
