-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
hanasaki wrote:
of course its Linux! i am feeling a bit insulted that anyone would think otherwise ;) grin
The "wacky" port numbers for the httpd are to keep it off low numbered ports and run as non-root. Any suggestions for something better and how to do it?
ah.. "split dns" cute term... what iptables rules can be put in the firewall to bounce the traffic back? Tried it and failed :(
It's been a while since I set something like this up, and it was with a 2.2 kernel and ipchains, not iptables.
tcpdump will be your friend...you need to make sure the packets are getting properly mangled by your firewall in both directions. If that's happening correctly, the client and web server should "just work".
What's probably happening with a basic port-forward rule in place is the client sends a request to the FW. The FW modifies the destination IP:port and sends the request to the web-server. The web-server sees the actual source IP of your internal machine, and sends the reply directly to it instead of to the firewall (so it can get un-mangled).
If the above assumption is correct, I think you need to add a MASQUERADE rule to the traffic from your local IP range as it leaves the firewall, giving it the IP address of your FW box instead of your client system.
...but all bets are off w/o TCP dumps of the input and output traffic from your firewall and/or web server and client systems.
- -- Charles Steinkuehler [email protected]