On Fri, Aug 22, 2008 at 10:07:53AM +0700, ????????? ????z??up?????? ??z?????? ????????? wrote:
> ## Forward port 80 ke mail server
> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.169.51.119
> --dport 80 -j DNAT --to-destination 172.16.0.2
This looks like you're redirecting from your external interface's
port 80 to another server. Presumably there's nothing listening on
port 80 on your DMZ server?
> problem :
> i cant browse to my-sub.domain.ext from network
> but i can browse my-sub.domain.ext from external ( other place )
>
> The following error was encountered:
>
> * Connection to 202.169.51.119 Failed
>
> The system returned:
>
> (111) Connection refused
Your proxy is connecting from a different interface (eth2 I think)
and therefore the connection to port 80 is not being redirected to
the mail server. You *may* be able to solve this by also redirecting
the connection from your proxy server, but you'll also need to use
source NAT so your mail server's www service sends its replies to
your DMZ server. Without the SNAT, the mail server will reply
directly to the proxy server, and that will confuse the proxy
because it thinks it's talking to your external IP.
The other common solution to this problem is to use so-called "split
horizon DNS", whereby you have internal DNS servers which return the
internal address (i.e. my-sub.domain.ext will resolve to 172.16.0.1,
rather than your external IP) but your external DNS servers will
return your external address. That way your clients inside the
network get the correct address.
Depending on how your squid is doing DNS lookups, you may be able to
add an entry to the /etc/hosts file on your proxy server and then
explicitly configure the proxy for your clients. If that works this
might provide an acceptable short-term solution.
Received on Fri Aug 22 2008 - 03:50:32 MDT
This archive was generated by hypermail 2.2.0 : Fri Aug 22 2008 - 12:00:03 MDT