[Firewall] New Next Problem

Lonnie Abelbeck lists at lonnie.abelbeck.com
Wed Oct 10 16:16:21 CEST 2012


Eli,

Yes, "NAT Loopback" is one approach, (more below).

IMHO, the best approach is split-horizon DNS, where a public DNS points to your public IPv4 address, say 1.2.3.4 and the local DNS server points to 192.168.0.211 .

Public DNS: www.domain.com -> 1.2.3.4

Local DNS: www.domain.com -> 192.168.0.211

No fancy iptables rules, simple.  Just make sure your local devices use the local DNS server, not a public server.  Very easy if they use DHCP.


"NAT Loopback", I know Arno has had several requests for a NAT Loopback plugin.  I looked into that idea, and the game of packet pinball required needs to reference the IPv4 address of the external interface.  The problem is the vast majority of users have dynamic IPv4 addresses, so the iptables rules must be rebuilt when the external address changed, not a hook that AIF has without creating one with a background process or such.

For the special case where users have a static external IPv4 address, it should be straightforward to create such a plugin.  But not a general solution.

Ref: http://for-invent.com/nat-loopback-using-iptables/

It has been suggested that NAT Loopback offers a security risk, I have not been able to find an example of such a risk.


Split-horizon DNS is simple, NAT Loopback is ugly.

Lonnie



On Oct 10, 2012, at 4:54 AM, Eli Wapniarski wrote:

> To be clearer
> 
> As a reminder... I am running a cable modem configured to be a dumb modem only. My external ip is provided via dhcp from my isp and is a public ip.
> 
> The following while brief represents my accurate configuration.
> 
> dsl-ppp-modem.conf is disabled.
> 
> EXT_IF="eth1"
> INT_IF="eth2"
> INTERNAL_NET="192.168.0.1/24"
> 
> NAT=1
> NAT_INTERNAL_NET="$INTERNAL_NET"
> 
> NAT_FORWARD_TCP="80,443>192.168.0.211"
> 
> As indicated. I can surf the net just fine. I can access my internal services from outside my network just fine. I cannot access my internal services through my external interface from my internal network.
> 
> 
> Thanks for any help / guidance you can provide :)
> 
> Eli
> 
> Quoting Eli Wapniarski <eli at orbsky.homelinux.org>:
> 
>> Hi guys...
>> 
>> I hope that you can help with this one to.
>> 
>> It would seem that I cannot access internal services from my internal network
>> from the external interface. I have no trouble reaching those services from
>> the outside.
>> 
>> Name resolution is fine.
>> 
>> 
>> Thanks
>> 
>> Eli
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>> 
> 
> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> 



More information about the Firewall mailing list