Hi David, Yes, the transparent-dnat plugin appears to do that, but the general requirement with these 'NAT loopback' techniques is a static external IPv4 address to build the iptables rules around, otherwise for dynamic external IP's the firewall rules would have to be rebuilt whenever the external IPv4 address changed. So for AstLinux, the transparent-dnat plugin will not work if you have a dynamic IP address, ie. DNAT_MY_EXTERNAL_IP is not applicable.
Still, I like your split-horizon DNS approach the best (as you stated), usually port selection is not an issue since the local ports are standard and any port obfuscation is done via NAT at the edge. Plus remote VPN access will use the local DNS (when setup properly) and point you directly to the local server. I assume you have a good reason exposing FTP to the public, but I would rather see you using sftp (better) or FTP in a VPN (best) for remote access. Lonnie On Oct 7, 2012, at 10:32 AM, David Kerr wrote: > Lonnie, > Thanks for the documentation. Of course this prompted me to look at stuff > I have never looked at before and of course generates questions. > > Take transparent-dnat. Does this solve the situation where I have an > internal client that attempts to access a service (say FTP) which is in fact > located inside my LAN or on my AstLinux box. > > For example, if I am *outside* my LAN and request a service at > "ftp.mydomain.org:21" then the external DNS servers resolve the name to the > IP address of my Astlinux eth0/EXTIF. And the client *outside* my LAN directs > the traffic to "myIP:21" Now lets say port 21 is forwarded by Astlinux to an > internal LAN ip 192.168.1.10 (that may be a different port number). > Now if I am *inside* my LAN and have done nothing, then the DNS name > resolution still resolves to eth0/EXTIF. But because the traffic is coming > from inside to eth1/INTIF it is not caught by the firewall and forwarded to > the internal host. Instead it tries to connect to the Astlinux box (which > may, or may not, accept traffic on port 21). > > The way I have resolved this is by setting up a static hostname in Astlinux > DNS so that internal clients get the IP address of the internal server when > they use the name, so ftp.mydomain.org will resolve to 192.168.1.10, which is > the same host that any external traffic arriving on eth0 port 21 would get > forwarded to. However this is not port specific, so if I had multiple > services handled by different hosts there is no way to handle that. > > Does this plugin, or is there another plugin, that would help? Ideally what > I want is a way to tell the firewall that any traffic originating from an > internal IP that is destined for the external IP of my Astlinux box be > handled by the firewall just as if it had arrived on the EXTIF and be > forwarded (or blocked, or whatever). > > Thanks, > David > > > > On Sat, Oct 6, 2012 at 7:45 PM, Lonnie Abelbeck <[email protected]> > wrote: > Hi, > > Due to recent questions about firewall plugins, we decided to add a "Firewall > Plugins" section in the documentation WiKi... > > WiKi: Tips and Tricks -> Networking -> Firewall Plugins > > http://doc.astlinux.org/userdoc:tt_firewall_plugins > > I predict even long time users might find a new tidbit here, so please take a > look and report any changes or clarifications that might be useful to others. > > Lonnie > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev_______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
