iptables - lo interface problem
Yang Xiao
yxiao2004 at gmail.com
Tue Aug 24 15:44:55 UTC 2004
On Mon, 23 Aug 2004 18:09:16 -0400, Travis Fraser <travis at snowpatch.net> wrote:
> On Mon, 2004-08-23 at 17:29, Mike Burger wrote:
> > On Mon, 23 Aug 2004, Rodolfo Alcázar wrote:
> >
> > > From: "Mike Burger" <mburger at bubbanfriends.org>
> > >
> > > > On Mon, 23 Aug 2004, Rodolfo Alcázar wrote:
> > > >
> > > > > > Errr, this is a classic case for a split DNS setup, you need to setup
> > > > > > DNS to point to it's DMZ interface on/within the firewall, or just add
> > > > > > it in the hosts file, don't try to connect to the external interface
> > > > > > and use the NAT, it don't work that way. I could be wrong.
> > > > > >
> > > > > > Yang
> > > > >
> > > > > Thanks, Yang. I didn´t heard about split DNS setup. I will try it. Best
> > > > > regards.
> > > >
> > > > In the meantime, you can use something like this (I used this until split
> > > > DNS came into play on my network):
> > > >
> > > > $IPTABLES -t nat -A PREROUTING -i internal-interface -d
> > > your.external.ip.address -j DNAT --to your.internal.destination.IP
> > > > $IPTABLES -t nat -A POSTROUTING -o internal-interface -d -s
> > > your.internal.netowrk/netmask -j SNAT --to firewall's.internal.ip.address
> > > > --
> > > > Mike Burger
> > > > http://www.bubbanfriends.org
> > >
> > > Thx, mike. This is the solution I was expecting for, but I think the split
> > > DNS is my right answer. I will do the same as you, use this rules in the
> > > meantime. Best regards.
> >
> > Happy to help.
> >
> > If you need an example of a split DNS config, let me know. I'm using it,
> > now, in lieu of the routing routing option.
> > --
> > Mike Burger
>
> Hi Mike,
>
> I would like to see the split-DNS config. This thread is very timely for
> me as I am setting up the exact arrangement in my network.
>
> Thanks,
> Travis Fraser
>
hi,
A simple split dns configuration really is just using your internal
DNS as the primary and some external public DNS as the secondary in
the DNS name resolving order.
#/etc/resolv.conf
domain mydomain.com
nameserver xxx.xxx.xxx.xxx (my internal dns with private LAN info only)
nameserver xxx.xxx.xxx.xxx (some external public DNS for public name resolution)
the catch is you setup the internal DNS zone recrods using the
internal IP of servers so you do not resolve them with external IPs
they might be NATed with on the public DNS server. DO NOT allow any
external hosts to query the same DNS server for your domain!
and for anything else, you can either setup the same server for
forwarding or failover to the configured secondary public server to do
the name resolution.
Yang
More information about the fedora-list
mailing list