Hi all,
I have had shorewall running successfully for over two years, its a
great firewall! I have a NAT question that I cannot seem to find the
answer to, and I was hoping someone could give me a hand. I have
recently learned of a type of NAT called "Twice NAT", it which when a
specific DNS address is requested, the information is forwarded on. I
have outlined what I would like to do below.
1. I have two machines, my firewall/gateway, and my JBoss server box.
2. When a given request it sent to my dns say jboss.test.homelinux.com,
I would like to use Twice Nat to translate that request to my internal IP.
Is there a way to do this with shorewall and BIND 9? I know it would be
easier to set up a DMZ, but I only have one public IP and since I''m a
broke college student, I can''t really afford to get a business class
connection with multiple static IP''s.
Thanks,
Todd
Todd Nine wrote:> Hi all, > I have had shorewall running successfully for over two years, its a > great firewall! I have a NAT question that I cannot seem to find the > answer to, and I was hoping someone could give me a hand. I have > recently learned of a type of NAT called "Twice NAT", it which when a > specific DNS address is requested, the information is forwarded on. I > have outlined what I would like to do below. > > 1. I have two machines, my firewall/gateway, and my JBoss server box. > 2. When a given request it sent to my dns say jboss.test.homelinux.com, > I would like to use Twice Nat to translate that request to my internal IP. > > Is there a way to do this with shorewall and BIND 9? I know it would be > easier to set up a DMZ, but I only have one public IP and since I''m a > broke college student, I can''t really afford to get a business class > connection with multiple static IP''s. >I don''t understand what problem you are trying to solve. AFAIK, "Twice NAT" involves situations where there are duplicate IP addresses in a network that require resolution. Using Shorewall, the NETMAP feature is the best way to solve those cases but that doesn''t sound like your problem. If you can be a bit clearer about the exact problem you want to solve, we''ll try to help. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>> >>1. I have two machines, my firewall/gateway, and my JBoss server box. >>2. When a given request it sent to my dns say jboss.test.homelinux.com, >>I would like to use Twice Nat to translate that request to my internal IP. >> >>Is there a way to do this with shorewall and BIND 9? I know it would be >>easier to set up a DMZ, but I only have one public IP and since I''m a >>broke college student, I can''t really afford to get a business class >>connection with multiple static IP''s. >> > > I don''t understand what problem you are trying to solve. AFAIK, "Twice > NAT" involves situations where there are duplicate IP addresses in a > network that require resolution. Using Shorewall, the NETMAP feature is > the best way to solve those cases but that doesn''t sound like your problem. > > If you can be a bit clearer about the exact problem you want to solve, > we''ll try to help.I read your post again and think maybe I see what you want: 1) You have two systems: firewall/gateway and JBoss. 2) You want to set up two DNS entries: firewall.test.homelinux.com -> your firewall/gateway jboss.test.homelinux.com -> your jboss box. 3) When internet hosts connect to the first name, they get your firewall. 4) When internet hosts connect to the second name, they are connected to the jboss box. If that''s what you want then the answer to your question is "No". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
That was exactly what I wanted. Thanks for the reply, we learned about some NAT tools that use what is called "Twice NAT", where the IP that is translated is based on the DNS request. I believe it will only work within the context of the http protocol, but I wanted to check. Thanks, Todd Quoting Tom Eastep <teastep@shorewall.net>:> Tom Eastep wrote: > >> > >>1. I have two machines, my firewall/gateway, and my JBoss server box. > >>2. When a given request it sent to my dns say jboss.test.homelinux.com, > >>I would like to use Twice Nat to translate that request to my internal IP. > >> > >>Is there a way to do this with shorewall and BIND 9? I know it would be > >>easier to set up a DMZ, but I only have one public IP and since I''m a > >>broke college student, I can''t really afford to get a business class > >>connection with multiple static IP''s. > >> > > > > I don''t understand what problem you are trying to solve. AFAIK, "Twice > > NAT" involves situations where there are duplicate IP addresses in a > > network that require resolution. Using Shorewall, the NETMAP feature is > > the best way to solve those cases but that doesn''t sound like your > problem. > > > > If you can be a bit clearer about the exact problem you want to solve, > > we''ll try to help. > > I read your post again and think maybe I see what you want: > > 1) You have two systems: firewall/gateway and JBoss. > 2) You want to set up two DNS entries: > firewall.test.homelinux.com -> your firewall/gateway > jboss.test.homelinux.com -> your jboss box. > 3) When internet hosts connect to the first name, they get your firewall. > 4) When internet hosts connect to the second name, they are connected to > the jboss box. > > If that''s what you want then the answer to your question is "No". > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
tnine@purdue.edu wrote:> That was exactly what I wanted. Thanks for the reply, we learned about some NAT > tools that use what is called "Twice NAT", where the IP that is translated is > based on the DNS request. I believe it will only work within the context of the > http protocol, but I wanted to check. >Yes -- with HTTP you could do something like that but HTTP supports name-based virtual hosting. On Linux, you would have to use an HTTP proxy rather than Netfilter DNAT since Netfilter doesn''t look at the HTTP command stream. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key