/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */ Jasper Potts <[EMAIL PROTECTED]> wrote: > > /sbin/ipchains -I input -p tcp -y -d 62...250/32 80 -m 250 > /usr/sbin/ipmasqadm mfw -I -m 250 -r 192.168.42.250 80 This is somewhat new to me. Most people just use "ipmasqadm portfw" for this task, to which it is well-suited. But if it works, it works! > This all works fine BUT the internal machines can't access the port > forwarded machines on there external IP addresses. That is true. It's not exactly "forwarding" if a packet comes in one interface, and then leaves via the same interface. That's called "botched networking", 'cause it's rather inefficient. The main reason why it doesn't work, at least in the portfw case with which I'm familiar, is that port-forwarding works via masquerade rules, and when the packet comes in from an internal IP address, there is no matching masquerade (forwarding) rule, so a tunnel cannot be created for it. > This makes testing very difficult. At the moment I have solved this > by setting up a web proxy on the outside network. I am hoping that > there is a better solution to this. I think a better solution would be to split your DNS resolution, so that internal clients query a name server which returns the internal IP address(es) of your web servers, while external clients query and receive the external IP's. That means that internal clients will contact the web servers directly, which is much more efficient. Since you probably control the DNS for your domain, this should be simple to setup. It's what I would do. -- [EMAIL PROTECTED] (Fuzzy Fox) || "Just about every computer on the market sometimes known as David DeSimone || today runs Unix, except the Mac (and http://www.dallas.net/~fox/ || nobody cares about it). -- Bill Joy '85 _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
