access to hosted servers inside the firewall from inside vs outside

hanasaki hanasaki at hanaden.com
Wed Jun 9 01:42:03 CDT 2004 

All,

Below is an ASCII diagram of a network (mine).  The goals are:

allow internet based clients http access to the domain hosted inside the 
firewall.  This is working fine with NAT on the firewall for port 80 
incoming.  External hosts lookup www.domain.com via the external dns 
server and get the firewall address.

allow internal based clients http access to the domain hosted inside the 
firewall.  This is working because the internal hosts use the internal 
dns to resolve www.domain.com  for internal clients.   This resolves to 
the internal host's address (a CDIR).  It would be ideal to remove the 
need for separate internal/external dns management of the same domain. 
The original approach was as attempt to have the firewall iptables rules 
bounce port80 traffic to the IP of the external www.domain.com back to 
the internal http server address.  This was never accomplished and was 
also avoided, in the end, due to the extra, unnecessary, traffic to the 
firewall (ie: hit the firewall internally just to bounce it back)  The 
use of the internal dns to resolve www.domain.com to the internal server 
also makes it impossible to find the external ip address for 
www.domain.com from an inside host (good for internal users/bad for 
admins that need to find the address and verify it)

send internally sent email at domain.com using the smtp servers for the 
domain on the outside of the firewall and not require any internal smtp 
special configs.  Not a clue how to do this.

Any thoughts on how to accomplish what is desired, above, or how to set 
things up differently, so it can be done, yet maintains the premise of 
the below diagram?

thanks.

internet
	smtp-server-for-domain
	dns-server-for-domain
	^
	|
	|
	v
firewall-Linux-with-NAT
	bind9-dns
		dns-lookup-for-internet
	^
	|
	|
	v
internal-servers
	bind9-dns
		dns-lookup-for-internal
		dns-lookup-for-internet-forwards-to-firewall-dns
		internal-hosts-use-this-for-dns
	______________
	http-server
		hosts-internal-only-websites
		hosts-external-web-sites
			available-to-outside-via-firewall-NAT
		supporting virtual domains on one IP
	______________
	smtp-server
		hosts-external-domain-email
			available-to-outside-via-firewall-NAT
			available-to-inside

More information about the Kclug mailing list