Hi all, This is a bit silly, but I''ve been puzzling over it for a few hours now. We''ve got a shorewall box running, doing well. One of the things it does it redirect all outbound http traffic to the squid proxy on port 3128. Recently we''ve installed a service that requires external users to connect to an internal machine via DNAT''ing, which is working well. The problem is that the service registers our IP (external) address with a central server, meaning that internal users are unable to access it. I''m looking for some way to redirect traffic destined for a specific port(s) on the firewall to another internal machine. I''m not totally sure I''ve made myself clear so please ask for clarification if necessary, we''d love to get this sorted. Many thanks Matt ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Matt Harrison wrote:> Hi all, > > This is a bit silly, but I''ve been puzzling over it for a few hours now. > > We''ve got a shorewall box running, doing well. One of the things it does > it redirect all outbound http traffic to the squid proxy on port 3128. > > Recently we''ve installed a service that requires external users to > connect to an internal machine via DNAT''ing, which is working well. The > problem is that the service registers our IP (external) address with a > central server, meaning that internal users are unable to access it. > > I''m looking for some way to redirect traffic destined for a specific > port(s) on the firewall to another internal machine. > > I''m not totally sure I''ve made myself clear so please ask for > clarification if necessary, we''d love to get this sorted.Shorewall FAQ #2. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Michael Weickel - iQom Business Services GmbH
2009-Aug-30 14:29 UTC
Re: redirecting internal traffic
This is Shorewall FAQ 2 -- you only have to change the ports (FAQ is about smtp) A dirty hack (but works too) is to change /etc/hosts on the affected internally machines to redirect to internally rather than externally -----Ursprüngliche Nachricht----- Von: Matt Harrison [mailto:iwasinnamuknow@genestate.com] Gesendet: Sonntag, 30. August 2009 15:53 An: Shorewall Users Betreff: [Shorewall-users] redirecting internal traffic Hi all, This is a bit silly, but I''ve been puzzling over it for a few hours now. We''ve got a shorewall box running, doing well. One of the things it does it redirect all outbound http traffic to the squid proxy on port 3128. Recently we''ve installed a service that requires external users to connect to an internal machine via DNAT''ing, which is working well. The problem is that the service registers our IP (external) address with a central server, meaning that internal users are unable to access it. I''m looking for some way to redirect traffic destined for a specific port(s) on the firewall to another internal machine. I''m not totally sure I''ve made myself clear so please ask for clarification if necessary, we''d love to get this sorted. Many thanks Matt ---------------------------------------------------------------------------- -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Also, you might want to look into Bind 9 and DNS Zones - that''s how I solved my problem. The external users see one IP address for a particular domain name - the public one -, and the internal users see another IP (private) for the same server. Thus, they learn to call things "by their right name", and leave it to us geeky engineer IT über god guys to do the magic. :) Cheers. Michael Weickel - iQom Business Services GmbH wrote: This is Shorewall FAQ 2 -- you only have to change the ports (FAQ is about smtp) A dirty hack (but works too) is to change /etc/hosts on the affected internally machines to redirect to internally rather than externally -----Ursprüngliche Nachricht----- Von: Matt Harrison [mailto:iwasinnamuknow@genestate.com] Gesendet: Sonntag, 30. August 2009 15:53 An: Shorewall Users Betreff: [Shorewall-users] redirecting internal traffic Hi all, This is a bit silly, but I''ve been puzzling over it for a few hours now. We''ve got a shorewall box running, doing well. One of the things it does it redirect all outbound http traffic to the squid proxy on port 3128. Recently we''ve installed a service that requires external users to connect to an internal machine via DNAT''ing, which is working well. The problem is that the service registers our IP (external) address with a central server, meaning that internal users are unable to access it. I''m looking for some way to redirect traffic destined for a specific port(s) on the firewall to another internal machine. I''m not totally sure I''ve made myself clear so please ask for clarification if necessary, we''d love to get this sorted. Many thanks Matt ---------------------------------------------------------------------------- -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Diego Rivera Director / System Operations Roundbox Global : enterprise : technology : genius ------------------------------------------------------------------------------------------------------------------ Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506) 2258-3695 email: diego.rivera@rbxglobal.com | www.rbxglobal.com ------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Diego Rivera wrote:> Also, you might want to look into Bind 9 and DNS Zones - that''s how I > solved my problem. The external users see one IP address for a > particular domain name - the public one -, and the internal users see > another IP (private) for the same server. Thus, they learn to call > things "by their right name", and leave it to us geeky engineer IT über > god guys to do the magic. >I believe that the OP mentioned that in this particular instance, the application registers it''s *IP Address* with an external server. If so, a DNS solution isn''t appropriate in this case. In any efent, I would still prefer to see the application server placed on a separate LAN (dmz) so that: a) It is isolated from the local hosts in the event that it is hacked; and b) When local clients connect to the application, the SOURCE IP will be the host''s address as opposed to that of the firewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On Sun, Aug 30, 2009 at 5:57 PM, Diego Rivera <diego.rivera@rbxglobal.com>wrote:> Also, you might want to look into Bind 9 and DNS Zones - that''s how I > solved my problem. The external users see one IP address for a particular > domain name - the public one -, and the internal users see another IP > (private) for the same server. >Little off topic... Did you meant that by using bind views(internals and externals clients) you solved this issue? Regards, Vlado ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Bind views allow you to have single names resolve to different IP''s depending on "who" is doing the querying. For instance: public users get one (public) IP when they go to www.website.com, while private users can get a private IP for the same name. Thus, they always use the name regardless of where they are and it always works. As I understood the problem, this would be a good solution. Of course, as the OP said - "The problem is that the service registers our IP (external) address with a central server" is a bit confusing - sounds as if his problem is that the internal folks aren''t being subject to the DNAT and therein lies his problem. This would certainly be solved by public/private DNS views - but there are also ways to solve that wholly within shorewall by causing DNAT rules to be applied to everyone (I found that to be problematic under some circumstances). If the problem is different, then bind views might not be a viable solution. Cheers. Vlado Peshov wrote: On Sun, Aug 30, 2009 at 5:57 PM, Diego Rivera <diego.rivera@rbxglobal.com> wrote: Also, you might want to look into Bind 9 and DNS Zones - that''s how I solved my problem. The external users see one IP address for a particular domain name - the public one -, and the internal users see another IP (private) for the same server. Little off topic... Did you meant that by using bind views(internals and externals clients) you solved this issue? Regards, Vlado ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Diego Rivera Director / System Operations Roundbox Global : enterprise : technology : genius ------------------------------------------------------------------------------------------------------------------ Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506) 2258-3695 email: diego.rivera@rbxglobal.com | www.rbxglobal.com ------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Vlado Peshov wrote:> On Sun, Aug 30, 2009 at 5:57 PM, Diego Rivera > <diego.rivera@rbxglobal.com <mailto:diego.rivera@rbxglobal.com>> wrote: > > Also, you might want to look into Bind 9 and DNS Zones - that''s how > I solved my problem. The external users see one IP address for a > particular domain name - the public one -, and the internal users > see another IP (private) for the same server. > > > Little off topic... > > Did you meant that by using bind views(internals and externals clients) > you solved this issue?That''s what I do here. There is an example at http://www.shorewall.net/shorewall_setup_guide.htm#DNS. Another simple way to solve this is to run dnsmasq: http://www.shorewall.net/SplitDNS.html -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Tom Eastep wrote:> Diego Rivera wrote: >> Also, you might want to look into Bind 9 and DNS Zones - that''s how I >> solved my problem. The external users see one IP address for a >> particular domain name - the public one -, and the internal users see >> another IP (private) for the same server. Thus, they learn to call >> things "by their right name", and leave it to us geeky engineer IT über >> god guys to do the magic. >> > > I believe that the OP mentioned that in this particular instance, the > application registers it''s *IP Address* with an external server. If so, > a DNS solution isn''t appropriate in this case. > > In any efent, I would still prefer to see the application server placed > on a separate LAN (dmz) so that: > > a) It is isolated from the local hosts in the event that it is hacked; and > > b) When local clients connect to the application, the SOURCE IP will be > the host''s address as opposed to that of the firewall. > > -TomIt is indeed unfortunately working from the IP address and not the hostname. We do already have split DNS but that won''t work for this particular problem. Thanks for the pointer to the FAQ. I did scan over the topics there quickly before, but the heading didn''t jump out at me. I''ve implemented the hack however now there''s another problem the application''s designers will have to be consulted on. There''s always something to be fixed here. I will be creating a dmz for this as soon as I get time to fiddle some more. Thanks for the help Matt ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july