Port forwarding for internal webservers in case of a non-transparent proxy

Assume that you’re running a two interface firewall setup using Shorewall for your institute LAN. Suppose you have an internal webserver that you want to be made visible externally as well. To achieve this, you’d normally do a port forward using DNAT. Although this method gets a FAIL when it comes to security, it’s usually the easiest thing to do. The suggested alternative would obviously be to get an extra NIC and setup a DMZ but anyways I’ll be talking about a two interface setup here. Now this port forwarding thing works fine but what happens when a host in the internal network tries to access this website through the URL? The request will go out of the network, come back in and the response would follow the reverse route and this will take ridiculously long! There are two workarounds for this. The recommended method would be to configure your internal DNS to respond with the internal IP when a DNS query for the webserver’s URL is received. The other method would be to have your gateway masquerade as the internal webserver, which is nothing short of a quick hack and note that this is also rather poor when it comes to security. As per the shorewall website, for a transparent proxy, you’ll need to add the following rules.

Example IP addresses:

Gateway’s external interface (eth0): 210.45.21.55

Gateway’s internal interface (eth1) : 192.168.1.1

Internal Webserver: 192.168.1.10

So here come the rules:

In/etc/shorewall/rules:

REDIRECT        loc     3128    tcp     www     –       !210.45.21.55

DNAT              loc     loc:192.168.1.10      tcp     www     –       210.45.21.55

In/etc/shorewall/masq:

eth1:192.168.1.10        eth1           192.168.1.1      tcp     www

In /etc/shorewall/interfaces, make sure you have the ‘routeback’ option enabled for eth1.

Now here’s the part that you won’t find in the shoerwall documentation. In case you’re migrating to a non-transparent proxy, add the following rule after the above mentioned DNAT.

DNAT    $FW     loc:192.168.1.10:80      tcp     80      –       210.45.21.55

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s