How to set up the gateway correctly?

H

Harbid Abu Marhamedoff2014-09-11 08:12:33

Apache HTTP Server

Harbid Abu Marhamedoff, 2014-09-11 08:12:33

There is a gateway to the Internet based on Debian Wheezy. From the outside it is visible as a certain site.ru, from the inside the address is 10.0.0.1. Apache and squid are installed on it, the Internet is distributed to the internal grid using iptables.
First problem. When exiting through the squid, everything is fine, but if you try to access the Internet without a squid and type the address http://somesite.ru, then the page does not open, because DNS resolves to the ip of the external network card and for some reason it is not available from the internal network. How to win it? Set your internal DNS? And if the client has an external DNS, this will not work.
Second problem. iptables is configured like this:
/sbin/iptables -t nat -A POSTROUTING -o externaliface -j SNAT --to-source external_ip
If I understand correctly, the configured nat will wrap all packets into the Internet, including those that arrive from the neighbor's computer, which has an ip in the external grid, visible through the external_iface. How to make it work only for internal interfaces?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

Sergey, 2014-09-11
@bk0011m

Enter the internal IP of the server in the DNS. Delov then.
Thought - decided to add.
1. Remove the web server and site from the gateway. If the proxy can still be tolerated, the site is a potential hole. Have you ever been broken?
2. For people "outside" and "inside" there should be a DNS. Accordingly, each for their own networks. Internal clients should target the internal DNS.
3. Regarding iptables, I will not tell you. I am using a different firewall. But honestly, I didn’t quite understand what you need to wrap in the Internet? After all, if an internal client requests an external IP, then you just need to pass this packet through NAT and release it outside. Why wrap anything?