Re: webserver behind firewall


Subject: Re: webserver behind firewall
From: James Zuelow (e5z8652@zuelow.net)
Date: Wed Jan 29 2003 - 17:11:18 AKST


On Wed, 29 Jan 2003 15:58:55 -0900
"Mike Barsalou" <mbarsalou@aidea.org> wrote:

>
> I would like to test a new webserver that will be behind a firewall.
> I think I would be using iptables and DNAT but don't want to use
> the default ports. What kind of things will I need to do on my
> firewall to get it working? Here is what I think I need to do:
>
> Any packets coming to MYIP:8080 get DNAT'd to INTERNALIP:80 (what
> does this command look like?)
> Any packets returning from the webserver then get sent back to the
> outside user (what does this look like?)

This forwards port 80 to port 80, and uses masquerade so that all
outbound traffic appears to come from your external IP. $IPTABLES
means /sbin/iptables, eth1 is external eth0 is internal:

#required for NAT or Masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward

#port-forwarding:
#Use SNAT for static --to x for static IP only
#$IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to 1.2.3.4

#Use MASQUERADE for dynamic IP (works for static as well)
$IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE

#specified ports to the specified ip address:
#
$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
10.0.1.100

#Mirror the port forwarding entries above on the FORWARD chain:
#(otherwise will be dropped):
$IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT

#Set up state-matching, both INPUT and FORWARD:
$IPTABLES -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j
ACCEPT# you might want more control over your outbound connections (ie
limit them to port 80, etc.)$IPTABLES -A INPUT -i eth0 -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j
ACCEPT# again, pay attention to your outbound stuff.
$IPTABLES -A FORWARD -i eth0 -j ACCEPT

 
I've got to get my kids to swimming, so don't have time to look up the
DNAT syntax you're interested in, but this should get you started.

> Are there any routing issues?

I think just the masquerade stuff should handle it.

>
> I have tried a few times, but I just can't get it right.
>
> Mike
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.

HTH,

James

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.



This archive was generated by hypermail 2a23 : Wed Jan 29 2003 - 17:11:29 AKST