[ale] iptables question [long]
Joseph Andrew Knapka
jknapka at earthlink.net
Fri Aug 17 06:50:31 EDT 2001
djinn wrote:
>
> Currently I've got a NAT/firewall machine with (obviously) an external
> interface at 4.5.6.7 and an internal interface at 10.0.0.1. It accepts
> http and https requests, NATs them to appear to originate from 10.0.0.1,
> and passes them to 10.0.0.2, my web server.
>
> Two weeks ago when I was setting this up, it seemed to make perfect
> sense. Now I can't for the life of me figure out why I was forcing the
> packets to appear as originating from 10.0.0.1 except that that was the
> only way I could figure out to serve web requests from an internal IP.
>
> Am I correct in thinking that
> a) the webserver is less safe accepting mangled packets than unmangled
> ones? (in other words, no matter what comes off of 10.0.0.1, my web
> server is going to accept it if it's on allowed ports...so it doesn't
> matter what the header says and not mangling allows for tracking of IPs
> in the log files)
> b) I can redirect the port 80/443 requests to the internal interface
> instead of doing NAT?
> c) I'm assuming that since IP masquerading is a totally different
> operation, it won't be harmed by changing from NAT to forwarding.
> d) I'm *hoping* that stateful inspection of packets won't be affected
> either, because a lot of my firewall setup hinges on that.
>
> If b) is correct, how do I do that with iptables? Do I need to make any
> modification to my stateful inspection rules?
Someone could surprise me, but I don't think b) is correct.
Unless your WWW server has an externally-routable IP address,
there is no way to avoid doing NAT. All the traffic on your
internal LAN has to be on the 10.0.0.* network. If you
do the redirect as in b), by which I assume you mean
port-forwarding, then the firewall will not do NAT, but
rather will accept packets from the public net and
retransmit them on the internal net as if they came
from the firewall machine - so all you'll accomplish is
losing the source address of the incoming request.
--
# Joe Knapka
# "You know how many remote castles there are along the
# gorges? You can't MOVE for remote castles!" - Lu Tze re. Uberwald
# 2nd Lbl A + 1 = 2nd Pause 2nd Prt A
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list