How best to route internal clients to internal web server?

Discussion in 'Linux Networking' started by Captain Dondo, Feb 28, 2005.

  1. I have the following setup:

    an OpenBSD firewall. The only manchine on my network with a real IP.
    a Linux server, which provides web (and other) services.
    some linux clients.

    A request for the web server comes in to the firewall, which NATs and port
    forwards it to the internal server.

    But clients on the inside cannot cannot use the web server, unless I put
    appropriate host entries into the /etc/hosts file, resolving the 'real'
    name of the web server to the private IP address.

    Thus in /etc/hosts I must have

    192.168.128.2 www.xxxx.com spam.xxxx.com
    order hosts,bind

    otherwise my internal clients cannot find the web server.

    Is there a better way to handle this than editing each and every
    /etc/hosts on the network?

    I run my own dhcp and bind servers, but I don't think I can use bind to
    serve up the domain names... ISTR the last time I tried, it wouldn't let
    me since I am not authoritative for the domain, and it wreaked havoc with
    DNS....
     
    Captain Dondo, Feb 28, 2005
    #1
    1. Advertisements

  2. If you don't mind the internal clients using a different name, you can be
    authoritative for your private network. I call mine localnet.prv, so my
    webserver would be accessed as www.localnet.prv on the internal network,
    while still being www.xxxx.com to the outside world.
     
    James Blanford, Mar 1, 2005
    #2
    1. Advertisements

  3. Captain Dondo

    Hue-Bond Guest

    Captain Dondo, [email protected]:04:11(CET):
    You're doing destination nat (or whatever is the equivalent in your openbsd
    firewall), aren't you? If so, the response is going directly from the web
    server to the host originating the request (since the source IP hasn't been
    modified). This packet isn't expected by this host, so it drops it.

    So you also need to source nat such traffic, in order for the responses to
    go through the gateway, who will send them back to the originating host.

    If that's not the case, I'm clearly misunderstanding it :).
     
    Hue-Bond, Mar 1, 2005
    #3
  4. You understood it better than I.... DUH! It's obvious now that you
    explain it....

    Now to figure out how to do it with pf, about which I know next to
    nothing... Where is that manpage???? :)
     
    Captain Dondo, Mar 1, 2005
    #4
  5. Captain Dondo, [email protected]:40:21(CET):
    Never used *bsd but googling for "pf source nat" seems appropriate:

    http://www.openbsd.org/faq/pf/nat.html

    :^P
     
    David Serrano (Hue-Bond), Mar 1, 2005
    #5
  6. Captain Dondo

    Tauno Voipio Guest

    I'd put dnsmasq as internal network DNS server / cache
    into the Linux gateway host, and put the internal
    web server name into the /etc/hosts file of the gateway.

    Point all clients DNS entries to the router, and you're done.
     
    Tauno Voipio, Mar 2, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.