Hi all, I am having a problem with my DNAT setup. I have a gateway machine running shorewall which is set up with multiple aliased ip addresses as described here: http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html ... with each aliased address DNATing port 80 and 22 through to a different machine on my LAN. The firewall machine itself is also listening on those ports. The problem I am having is that although access to the websites and ssh on the various hosts works fine from outside the firewall, any attempt to connect from inside ends up connecting to the firewall rather than the requisite internal machine. I could maybe get around this by overriding the external DNS using the DNS server on my LAN (pointing the domain names at the internal machines rather than their external DNATed addresses) but this doesn''t seem to be the best way to go about it as it causes problem with laptop users'' DNS caches. Can anyone tell me how to set this up correctly so I can access websites on DNATed aliased IP addresses from both inside and outside the LAN (or point me at some documentation for such a setup)? I''m happy to include my config files or give more information if it is needed. Thanks in advance, Dan T. ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
Dan Tomlinson wrote:>The problem I am having is that although access to the websites and ssh >on the various hosts works fine from outside the firewall, any attempt >to connect from inside ends up connecting to the firewall rather than >the requisite internal machine. > >I could maybe get around this by overriding the external DNS using the >DNS server on my LAN (pointing the domain names at the internal machines >rather than their external DNATed addresses) but this doesn''t seem to be >the best way to go about it as it causes problem with laptop users'' DNS >caches.Actually it IS the best way to deal with it (IMHO) - things "just happen" transparently, and you''ll see real user IP addresses in your server logs. It''s called "split horizon DNS" and works very well for dealing with different views (such as internal/public addressing) of a network.>Can anyone tell me how to set this up correctly so I can access websites >on DNATed aliased IP addresses from both inside and outside the LAN (or >point me at some documentation for such a setup)?Check the FAQs - specifically 1d http://shorewall.net/FAQ.htm#faq1d -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p