iptables - lo interface problem
Yang Xiao
yxiao2004 at gmail.com
Wed Aug 25 12:46:29 UTC 2004
On Wed, 25 Aug 2004 07:28:54 -0400, Rodolfo Alcázar
<rodolfo.alcazar at padep.org.bo> wrote:
>
>
> > On Mon, 23 Aug 2004 18:09:16 -0400, Travis Fraser <travis at snowpatch.net>
> wrote:
> > > On Mon, 2004-08-23 at 17:29, Mike Burger wrote:
> > > > On Mon, 23 Aug 2004, Rodolfo Alcázar wrote:
> > > >
> > > > > From: "Mike Burger" <mburger at bubbanfriends.org>
> > > > >
> > > > > > On Mon, 23 Aug 2004, Rodolfo Alcázar wrote:
> > > > > >
> > > > > > > > Errr, this is a classic case for a split DNS setup, you need
> to setup
> > > > > > > > DNS to point to it's DMZ interface on/within the firewall, or
> just add
> > > > > > > > it in the hosts file, don't try to connect to the external
> interface
> > > > > > > > and use the NAT, it don't work that way. I could be wrong.
> > > > > > > >
> > > > > > > > Yang
> > > > > > >
> > > > > > > Thanks, Yang. I didn´t heard about split DNS setup. I will try
> it. Best
> > > > > > > regards.
> > > > > >
> > > > > > In the meantime, you can use something like this (I used this
> until split
> > > > > > DNS came into play on my network):
> > > > > >
> > > > > > $IPTABLES -t nat -A PREROUTING -i internal-interface -d
> > > > > your.external.ip.address -j DNAT --to your.internal.destination.IP
> > > > > > $IPTABLES -t nat -A POSTROUTING -o internal-interface -d -s
> > > > > your.internal.netowrk/netmask -j SNAT --to
> firewall's.internal.ip.address
> > > > > > --
> > > > > > Mike Burger
> > > > > > http://www.bubbanfriends.org
> > > > >
> > > > > Thx, mike. This is the solution I was expecting for, but I think the
> split
> > > > > DNS is my right answer. I will do the same as you, use this rules in
> the
> > > > > meantime. Best regards.
> > > >
> > > > Happy to help.
> > > >
> > > > If you need an example of a split DNS config, let me know. I'm using
> it,
> > > > now, in lieu of the routing routing option.
> > > > --
> > > > Mike Burger
> > >
> > > Hi Mike,
> > >
> > > I would like to see the split-DNS config. This thread is very timely for
> > > me as I am setting up the exact arrangement in my network.
> > >
> > > Thanks,
> > > Travis Fraser
> > >
> > hi,
> >
> > A simple split dns configuration really is just using your internal
> > DNS as the primary and some external public DNS as the secondary in
> > the DNS name resolving order.
> > #/etc/resolv.conf
> > domain mydomain.com
> > nameserver xxx.xxx.xxx.xxx (my internal dns with private LAN info only)
> > nameserver xxx.xxx.xxx.xxx (some external public DNS for public name
> resolution)
> >
> > the catch is you setup the internal DNS zone recrods using the
> > internal IP of servers so you do not resolve them with external IPs
> > they might be NATed with on the public DNS server. DO NOT allow any
> > external hosts to query the same DNS server for your domain!
> >
> > and for anything else, you can either setup the same server for
> > forwarding or failover to the configured secondary public server to do
> > the name resolution.
> >
> >
> > Yang
> >
>
> Travis, based on Yang´s idea, I checked the BIND9 docs, and find a very
> simple named.conf parameter: "view". If you use BIND9, you can try this,
> also,
> it is very easy & simple (you do not need to start another daemon), here is
> a
> simplification of my named.conf file (the only differences between internal
> and
> external zones is myzone /myzone.LOCAL file, where you store your
> differentiated records, and the matched clients):
>
> options {
> directory "/var/named";
> // some lines deleted for security reasons
> };
>
> view "internal" {
> match-clients { 127.0.0.1; 192.168.0.0/16; };
> zone "myzone.org" IN {
> type master;
> file "myzone";
> };
> // some lines deleted for security reasons
> };
>
> view "external" {
> match-clients { any; };
> zone "myzone.org" IN {
> type master;
> file "myzone.LOCAL";
> };
> // some lines deleted for security reasons
> };
>
> I suppose I have security issues I must solve, but this is the idea. If
> anyone find which security issues we must address, please write the list
>
> Best regards,
>
> Rodolfo
>
>
Hi,
"Views" do not enforce security, it should be done by firewall rules
in addition with anti-spoofing configuration.
Also, use the chroot feature that comes with BIND whenever you can.
Yang
More information about the fedora-list
mailing list