<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML ><HEAD ><TITLE >( PORTFW - Locally ) - I can't reach my PORTFWed server from the INTERNAL lan</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="Linux IP Masquerade HOWTO" HREF="index.html"><LINK REL="UP" TITLE="Frequently Asked Questions" HREF="faq.html"><LINK REL="PREVIOUS" TITLE="( PORTFW ) - IP Masquerading with PORTFWing seems to break when my line is idle for long periods" HREF="portfw-issues.html"><LINK REL="NEXT" TITLE="( Logs ) - Now that I have IP Masquerading up, I'm getting all sorts of weird notices and errors in the SYSLOG log files. How do I read the IPTABLES/IPCHAINS/IPFWADM firewall errors?" HREF="masq-logs.html"></HEAD ><BODY CLASS="SECT1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >Linux IP Masquerade HOWTO</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="portfw-issues.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" >Chapter 7. Frequently Asked Questions</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="masq-logs.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A NAME="PORTFW-LOCAL" ></A >7.19. ( PORTFW - Locally ) - I can't reach my PORTFWed server from the INTERNAL lan</H1 ><P >Basically, say your domain, acme.com, has an external IP address of 1.2.3.4 and you are PORTFWing all WWW traffic to an internal machine, say, 192.168.0.20/24. Then an /internal/ user on the 192.169.0.x network tries to contact to http://www.acme.com and expects things to work. Well, that isn't going to happen with a basic config. Let me explain. Basically, http://www.acme.com is being resolved to the IP of http://1.2.3.4 by your chosen DNS server. What really should be happening is the web request should resolve that request to http://192.168.0.20.</P ><P >See the difference?</P ><P >The proper solution to this is to setup a SPLIT DNS server. Internal users would be configured to use an /internal/ DNS server which would resolve requests like this with the 192.168.0.20 address when asked for www.acme.com. All external users should be serviced by an /external/ DNS server which will will resolve the requrest to the 1.2.3.4 IP address. From there, IPTABLES/IPCHAINS/IPFWADM would then PORTFW the traffic to the 192.168.0.20 server as normal.</P ><P >But you're probably thinking that you don't want to setup a split DNS server and there has to be another way. There are a few alternatives! The first alternative is if you only have a few internal machines. Here, you can setup a "hosts" file entry on *all* internal machines. That static hosts entry would basically look like:</P ><P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" >www.acme.com 192.168.0.20</PRE ></FONT ></TD ></TR ></TABLE ></P ><P >Got it? With that in place, the machine would consult the hosts table before going to the DNS server to resolve the host. This works well but if you change the IP address on that internal web server, you're going to need to manually update the hosts file on all of those internal machines. If you are interested in doing the more scalable split DNS approach, TrinityOS completely covers split and chrooted DNS servers. <A HREF="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#TrinityOS" TARGET="_top" >TrinityOS - Section 24</A > http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos</P ><P >Now, if neither the split DNS nor the hosts file approach interests you, you still have a simple but effective alternative to get things working. What you can do is add some specific rules to your rc.firewall-* ruleset. Please see the "PORTFW Redirection of Internal requests" section under the <A HREF="forwarders.html" >Section 6.7</A > chapter.</P ><P >Why didn't I mention this alternative solution first? The main reason is that it's not the ideal solution. The primary problem with this approach is that every packet will be going from the internal MASQed client to the MASQ server. There, the MASQ server will SNAT each packet to the internal MASQed WWW server's IP and then forward it to the internal web server. Once the packet is received and responded to by the web server, that response has to go back through all that processing back to the original client machine. This process is overly wasteful on both network bandwidth and MASQ server CPU cycles!</P ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="portfw-issues.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="masq-logs.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >( PORTFW ) - IP Masquerading with PORTFWing seems to break when my line is idle for long periods</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="faq.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >( Logs ) - Now that I have IP Masquerading up, I'm getting all sorts of weird notices and errors in the SYSLOG log files. How do I read the IPTABLES/IPCHAINS/IPFWADM firewall errors?</TD ></TR ></TABLE ></DIV ></BODY ></HTML >