Depending on what he's routing, he won't be able to route outside and then
back in again. AFAIK, that'll fail. I think he'll ave to teach the
internal machines to hit the webserver directly by using the internal IP
address. That would be easiest with a host file, but it would be better
done by having an internal DNS server (because it would cache all DNS
queries for him).
So long as it's only NATting from the Internal NIC to the External, he MIGHT
be OK, because it may not NAT. YMMV, I'm not entirely sure about it. I
usually have the internal DNS server address www.Domain.TLD on the internal
address, and let the external DNS server point at the external IP address.
I suppose there's some risk of a problem here (stale DNS hits in
particular), but it's pretty slim, especially on desktops (as opposed to
laptops).
Kev.
----- Original Message -----
From: "Aaron J. Seigo" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, January 14, 2003 2:47 PM
Subject: Re: (clug-talk) Need help with IPTables / router configuration
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
note: firewalling is a weak subject for me as i don't do very much of it..
so
i hope i get this right =)
On Tuesday 14 January 2003 10:48, Shawn Grover wrote:
> I've recently installed Red Hat 8 as a server/router. I've successfully
> configured IPTables to do NAT for my internal network. But now I also need
> to allow users to request pages from my web server.
you can do this a few ways:
a) put your web server "on the outside" of your firewall, creating a DMZ
b) you want to set up a rule that forwards the incoming port 80 requests to
the appropriate internal server and back again.. assuming the external IP
address was 1.2.3.4 and your web server was on 192.168.1.2 something like:
iptables -t nat -I PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT
- --to-destination 192.168.1.2:80
c) if you need anything more complex, you'll need a more complex solution
such
as the load balancing services of Linux Virtual Server (LVS)
- --
Aaron J. Seigo
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43
"Everything should be made as simple as possible, but not simpler"
- Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+JIV81rcusafx20MRAj+UAJ4o7yfbylBoWsNJGIAyqf8qFakjtgCgk6vE
QClvUiFM7FkS8tSg813DdU8=
=sicj
-----END PGP SIGNATURE-----
