On 18 Jan 2002, Bret Hughes wrote: > On Fri, 2002-01-18 at 14:50, David Talkington wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > David Talkington wrote: > > > > >Dave Wreski wrote: > > > > > >>> Now, however, the systems behind the firewall can't access the sites > > >>> on the server...ie, workstation at 192.168.0.3 can't access any of the > > >>> sites hosted on 192.168.0.1, because the DNS entries for those sites > > >>> point them back outside the firewall...it would seem that, while the > > >>> outside world can get through the firewall to get the sites, with no > > >>> problem, the machines behind the firewall can't go outside the > > >>> firewall and then back in. > > >> > > >>Sounds like you'll need to create a separate domain to refer to your web > > >>server by the internal hosts, if I understand your problem correctly. > > > > > >Interesting puzzle. That was my thought, too, Dave, but I'm having > > >trouble seeing why there should be a routing problem as it is. The > > >hop will be all the way out (at least) to his ISP's router, but I'm > > >not sure I see why this is causing a problem, except for the obvious > > >performance hit. The NAT setup will just cause the router to think > > >that his client is trying to connect back to port 80 on itself, which > > >it should happily do. > > > > Duh. No, I'm loopy. The packet never leaves the network, because his > > gateway thinks it's a local destination. I see now that the problem > > is that the ruleset for forwarding back to the DNAT'ted server only > > works for connections hitting the external interface. What the OP > > needs, then, is some iptables tweaking to properly forward requests > > from the private net, and then it should work fine without DNS > > hassles. > > > > Yes? Or do I need still more coffee? > > This is exactly what I was thinking. But one can always use more > coffee. > > Mike, Why don't you post your rules so we can look at them and David can > fix them :) > > I saw a reference recently that explained the path through these filters > but can't remember where.
Ok...they're up at http://www.bubbanfriends.org/~mburger I even tried adding FORWARD rules for the internal interface, to bounce requests to those IPs to the internal machines, but it didn't seem to fly. _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
