[svlug] DNS behind a NAT firewall

Robert Hajime Lanning lanning at lanning.cc
Mon Jul 2 23:31:02 PDT 2001


You don't point DNS to the hidden address behind the firewall.

You have one (1) address that others can see.  No-one outside of the
firewall can see the internal addresses.

So what you have to do to provide http, smtp and/or ftp services to
the internet via proxing or port forwarding.

Basicly you have the firewall take an incoming connection and forward
it to an internal machine.  You can only have one service per port
and each port can only be pointed to one machine (unless you just want
to load share across simularly configured machines.)

So if you wanted to do http to machine A behind the firewall you can
setup port 80 (the http port) to forward to port 80 of machine A.  If
you want to also access machine B via http, then you would have to
setup another port (eg. 81) to forward to port 80 of machine B.
Then to get to machine B you would use "http://external.domain:81/".

Since you have only one address, the only way to do multiple domains
is to do what is called "virtual hosting".

For HTTP (web), virtual hosting is fairly simple.  The apache webserver
has this capability standard.

For SMTP (email), you have to configure your message transport agent (MTA)
to accept email for multiple domains. (This is usualy a sendmail
configuration change.)

For FTP, you just have multiple subdirectories.

---- As written by Steve Hill:
> 
> I am running a multi-unit LAN behind a firewall, connected to a "single"
> static IP address issued by my DSL provider.  I am having a "thinko"
> trying to figure out how I can name a unit behind the firewall, such
> that it can be seen by the internet.  i.e., how do I get a name line
> system.dsl.com or how do I link my domainname to my IP address?  I don't
> need a cookie-cutter solution, but I need a couple of pointers that I
> can follow to solve my problem.
> 
> Ultimately, I'd like to maintain my own mail and web servers behind the
> firewall.
> 
> Thanks,
>   Steve
> 
> 
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/mailman/listinfo/svlug
> 


-- 
/* Robert Hajime Lanning                             lanning at lanning.cc
** Trade: Unix Systems Administrator (Senior level) (SAGE IV)
*/
#include <std_disclaimer.h>




More information about the svlug mailing list