--- George Georgalis <[EMAIL PROTECTED]> wrote: > On Tue, May 18, 2004 at 07:00:15AM -0500, hanasaki wrote: > >external internet - firewall - internal web server > > > >internet traffic on port 80 is passed to the internal web server > >external internet based browsers can hit the server > >inernal based browsers cannot > > > >What iptables runs are needed to let the internal browsers hit the > >internal server with the external IP > > > >now external users can hit the server with www.domain.com > >internal users get connection refused > > > >internal and external users get the same IP from "host www.domain.com" > > forget it. even if you get the fw to properly route LAN clients to > LAN hosts, the host will reply via the LAN switch directly to the > client, which will not accept it because it's waiting for a response > from the internet IP. > This is where resources of both your network and componets becomes realy apparent. You end up using everything twice, four times even.
> And, doing a LAN to LAN masq is much more difficult that it appears. > There are many intrequet problems. Like not having enuff ports for all the snats or security if you start making special cases where you don't snat. > You need dns for the LAN which maps to the LAN server IP, not the > internet IP. I've spent a lot of time figuring out how not to have > "conditional locational" dns, it was wasted. Just focus on having > two sets of dns records. :) > This is the easiest to setup, even for the 'for dumyies series'. > // George > > > -- > George Georgalis, Architect and administrator, Linux services. IXOYE > http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] > Key fingerprint = 5415 2738 61CF 6AE1 E9A7 9EF0 0186 503B 9831 1631 > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > __________________________________ Do you Yahoo!? SBC Yahoo! - Internet access at a great low price. http://promo.yahoo.com/sbc/
