[Firewall] New Next Problem

Eli Wapniarski eli at orbsky.homelinux.org
Wed Oct 10 16:53:39 CEST 2012


Thanks for the response Lonnie. I also saw the local dns server  
reference, but, there are several problems with that solution with a  
NATed network. How do I differentiate between several IP's and ports,  
all of which are called domain.com. The second problem is that it is  
more complicated to detect failures of service if all I'm doing is a  
sophisticated hosts lookup.

I saw from the configuation file that the script, for some reason (and  
I don't know if the parameter is used for anything), takes into  
account whether or not the IP of the external interface receives its  
IP from DHCP or not. Since the script is a very cool bash script, I  
would hope it wouldn't be too difficult a job to get the IP of the  
external interface on firewall startup.

If it would be simple to create a plugin with a static IP, then that  
would be a great start. What might be a work around until an addition  
could be added to the script, formally, could be a cron job that  
checks if the external IP has changed and if so, reload the firewall  
with the correct IP.

This is pretty important to me because, as I have indicated above, I  
have several services running on a couple of servers and of course,  
they are using different ports.

I've already seen the article that you're pointing to and tried it. I  
could not get it to work. If you would be kind enough to provide a  
concrete example that I could add to the custom rules script I would  
be most grateful.

I really do appreciate, very very much, your consideration of my request.

Eli

Quoting Lonnie Abelbeck <lists at lonnie.abelbeck.com>:

> Eli,
>
> Yes, "NAT Loopback" is one approach, (more below).
>
> IMHO, the best approach is split-horizon DNS, where a public DNS  
> points to your public IPv4 address, say 1.2.3.4 and the local DNS  
> server points to 192.168.0.211 .
>
> Public DNS: www.domain.com -> 1.2.3.4
>
> Local DNS: www.domain.com -> 192.168.0.211
>
> No fancy iptables rules, simple.  Just make sure your local devices  
> use the local DNS server, not a public server.  Very easy if they  
> use DHCP.
>
>
> "NAT Loopback", I know Arno has had several requests for a NAT  
> Loopback plugin.  I looked into that idea, and the game of packet  
> pinball required needs to reference the IPv4 address of the external  
> interface.  The problem is the vast majority of users have dynamic  
> IPv4 addresses, so the iptables rules must be rebuilt when the  
> external address changed, not a hook that AIF has without creating  
> one with a background process or such.
>
> For the special case where users have a static external IPv4  
> address, it should be straightforward to create such a plugin.  But  
> not a general solution.
>
> Ref: http://for-invent.com/nat-loopback-using-iptables/
>
> It has been suggested that NAT Loopback offers a security risk, I  
> have not been able to find an example of such a risk.
>
>
> Split-horizon DNS is simple, NAT Loopback is ugly.
>
> Lonnie
>
>
>
> On Oct 10, 2012, at 4:54 AM, Eli Wapniarski wrote:
>
>> To be clearer
>>
>> As a reminder... I am running a cable modem configured to be a dumb  
>> modem only. My external ip is provided via dhcp from my isp and is  
>> a public ip.
>>
>> The following while brief represents my accurate configuration.
>>
>> dsl-ppp-modem.conf is disabled.
>>
>> EXT_IF="eth1"
>> INT_IF="eth2"
>> INTERNAL_NET="192.168.0.1/24"
>>
>> NAT=1
>> NAT_INTERNAL_NET="$INTERNAL_NET"
>>
>> NAT_FORWARD_TCP="80,443>192.168.0.211"
>>
>> As indicated. I can surf the net just fine. I can access my  
>> internal services from outside my network just fine. I cannot  
>> access my internal services through my external interface from my  
>> internal network.
>>
>>
>> Thanks for any help / guidance you can provide :)
>>
>> Eli
>>
>> Quoting Eli Wapniarski <eli at orbsky.homelinux.org>:
>>
>>> Hi guys...
>>>
>>> I hope that you can help with this one to.
>>>
>>> It would seem that I cannot access internal services from my  
>>> internal network
>>> from the external interface. I have no trouble reaching those services from
>>> the outside.
>>>
>>> Name resolution is fine.
>>>
>>>
>>> Thanks
>>>
>>> Eli
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>>
>>
>>
>>
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
>>
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>





More information about the Firewall mailing list