Port forwarding question - Networking

This is a discussion on Port forwarding question - Networking ; Greetings to all, Here is the issue that I do not know how to resolve. There is a Debian based internet gateway with iptables firewall. There are 3 servers currently running, all 3 with up and running web servers (apache, ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Port forwarding question

  1. Port forwarding question

    Greetings to all,

    Here is the issue that I do not know how to resolve. There is a Debian
    based internet gateway with iptables firewall.

    There are 3 servers currently running, all 3 with up and running web
    servers (apache, apache2 and IIS). How can I direct traffic from the
    Internet to the web server that is not on gateway, but in the local
    network? In addition, how can enable users from the internet to use
    *all* 3 web servers at their discretion (for example, when user writes
    www.mydomain.net/server1 - IIS on local IP x.x.x.y server pops out,
    www.mydomain.net/server2 -apache2 server on local IP x.x.x.z pops out,
    etc...)?

    I hope I was clear enough.

    TIA!

    --
    Everything will be okay
    in the end.
    If it's not okay
    it's not the end!

  2. Re: Port forwarding question

    Bubba a écrit :
    > There are 3 servers currently running, all 3 with up and running web
    > servers (apache, apache2 and IIS). How can I direct traffic from the
    > Internet to the web server that is not on gateway, but in the local
    > network? In addition, how can enable users from the internet to use
    > *all* 3 web servers at their discretion (for example, when user writes
    > www.mydomain.net/server1 - IIS on local IP x.x.x.y server pops out,
    > www.mydomain.net/server2 -apache2 server on local IP x.x.x.z pops out,
    > etc...)?


    If you want to do it based on the URL, then you need to use Apache on
    the gateway with mod_rewrite. Something like this :

    RewriteEngine on
    RewriteRule /server1/(.*) http://10.1.2.3/$1 [proxy,qsappend,last]
    RewriteRule /server2/(.*) http://10.1.2.4/$1 [proxy,qsappend,last]
    RewriteRule /server3/(.*) http://10.1.2.5/$1 [proxy,qsappend,last]

    If you want to do it with iptables/netfilter then you could do something
    like this :

    iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 10.1.2.3:80
    iptables -t nat -A PREROUTING -p tcp --dport 8081 -j DNAT --to 10.1.2.4:80
    iptables -t nat -A PREROUTING -p tcp --dport 8082 -j DNAT --to 10.1.2.5:80

    Cheers,

    Nico


    --
    Nicolas Bouthors -=- Tel : 06 20 71 62 34 -=- Fax : 01 46 87 21 99
    NBi SARL -=- http://nbi.fr -=- nbouthors@nbi.fr

  3. Re: Port forwarding question

    Nicolas BOUTHORS's log on stardate 17 ožu 2008

    > If you want to do it based on the URL, then you need to use Apache on
    > the gateway with mod_rewrite. Something like this :
    >
    > RewriteEngine on
    > RewriteRule /server1/(.*) http://10.1.2.3/$1 [proxy,qsappend,last]
    > RewriteRule /server2/(.*) http://10.1.2.4/$1 [proxy,qsappend,last]
    > RewriteRule /server3/(.*) http://10.1.2.5/$1 [proxy,qsappend,last]


    I might try that one, thx.

    > If you want to do it with iptables/netfilter then you could do
    > something like this :
    >
    > iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 10.1.2.3:80
    > iptables -t nat -A PREROUTING -p tcp --dport 8081 -j DNAT --to 10.1.2.4:80
    > iptables -t nat -A PREROUTING -p tcp --dport 8082 -j DNAT --to 10.1.2.5:80


    Here's my whole iptables:

    #!/bin/sh
    #Flush current rules
    iptables=/sbin/iptables
    $iptables -F
    $iptables -t nat -F

    #Setup default policies to handle unmatched traffic
    $iptables -P INPUT ACCEPT
    $iptables -P OUTPUT ACCEPT
    $iptables -P FORWARD DROP

    LAN="eth1"
    WAN="ppp0"

    #Then we lock our services so they only work from the LAN
    $iptables -I INPUT 1 -i ${LAN} -j ACCEPT
    $iptables -I INPUT 1 -i lo -j ACCEPT
    $iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
    $iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
    $iptables -A INPUT -p UDP --dport 123 -i ${LAN} -j ACCEPT

    #SSH access
    $iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

    #HTTP access
    $iptables -A INPUT -p TCP --dport 80 -i ${WAN} -j ACCEPT

    #Drop TCP / UDP packets to privileged ports
    $iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
    $iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

    #NAT
    $iptables -I FORWARD -i ${LAN} -d 192.168.1.0/255.255.255.0 -j DROP
    $iptables -A FORWARD -i ${LAN} -s 192.168.1.0/255.255.255.0 -j ACCEPT
    $iptables -A FORWARD -i ${WAN} -d 192.168.1.0/255.255.255.0 -j ACCEPT
    $iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

    #Port forward is OK!
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr

    #Port forwarding
    $iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i ${WAN} -j DNAT --to 192.168.1.2

    I already tried with port forwarding similar to yours, but failed. Any
    idea why? I did something like this:

    $iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.1.252

    however, regardless of that, I still get the web server from the
    gateway when I try to connect from the internet to my domain.


    --
    Everything will be okay
    in the end.
    If it's not okay
    it's not the end!

+ Reply to Thread