On Tuesday 10 January 2006 12:30, David T. Thomas, M.D. wrote:
> I have a server running Shorewall 3.0.4 with two network cards. One has
> public ip 80.x.x.1 and the other 172.16.0.1. This server also has squid
> proxy on port 3128.
That system is more correctly referred to as a gateway/router rather than a
server.
>
> I have another server in the network, 172.16.0.100, which will run my mail
> and web server.
>
> My domain name resolves to 80.x.x.1 for external and LAN users.
>
> I would like to have all web traffic originating from the LAN to be
> transparently routed to squid. Also, I need all trafic directed to 80.x.x.1
> and 172.16.0.1 ports 80 8383 25 110 to be directed to 172.16.0.100
Why 172.16.0.1?-- why can''t local users simply access 172.16.0.100
directly?
The more usual request I get is for local users to be able to access 80.x.x.1
and have the request redirected to 172.16.0.100. That''s covered in
Shorewall
FAQ 2.
>
> Here are the firewall rules I have created:
>
> DNAT Net LAN:172.16.0.100 tcp 80
> DNAT Net LAN:172.16.0.100 tcp 8383
> DNAT Net LAN:172.16.0.100 tcp 25
> DNAT Net LAN:172.16.0.100 tcp 110
> REDIRECT LAN 3128 tcp 80 - !172.16.0.1
>
> Is this correct/do I need any additions?
>
You need to allow tcp 80 from firewall->net -- and you need the disgusting
hacks from FAQ 2 (or something equally evil -- unless you "do it
right" and
use split DNS).
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key