Re: HTTP SERVER ON FORWARDED MACHINE

• Previous message: Jem Berkes: "Re: Why is tcp_syncookies off by default?"
• In reply to: JoeAley2003: "Re: HTTP SERVER ON FORWARDED MACHINE"
• Next in thread: Jose Maria Lopez Hernandez: "Re: HTTP SERVER ON FORWARDED MACHINE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 24 Aug 2004 13:38:09 -0400

JoeAley2003 wrote:
> John-Paul Stewart <jpstewart@binaryfoundry.ca> wrote in message news:<d4bdgc.jgf.ln@mail.binaryfoundry.ca>...
>
>>JoeAley2003 wrote:
>>
>>>Hi all...
>>>
>>>
>>> I have a redhat linux 9 connected to the internet and 1 computer that
>>>receives internet forwarded from the linux.
>>>
>>> What i need is to run a valid on internet http server on this
>>>forwarded computer where i run apache on port 80.
>>
>>Use these as a starting point:
>>
>>iptables -A FORWARD -s 0.0.0.0/0 -d $IP_INTERNET -p tcp \
>> --destination-port 80 -j ACCEPT
>>
>>iptables -t nat -A PREROUTING -d $IP_INTERNET -j DNAT \
>> --to-destination <local-ip-address>
>>
>>iptables -t nat -A POSTROUTING -o $IFACE_INTERNET \
>> -s <local-ip-address> -j SNAT --to-source $IP_INTERNET
>>
>>Those will almost certainly need some modification to suit your
>>situation. They're based on my setup where externally visible machines
>>get 1-1 NATed, since I have more than one publically visible IP address.
>> But the idea should get you started. Note that local-ip-address
>>refers to the address of the machine running Apache, *not* the local
>>address of the machine running iptables.
>
>
>
>
> Thank you for your reply but those command lines doesn't work.
>
> Unfortunatly, i did not undertand the "0.0.0.0/0".

That's one way of saying "any Internet address". You type in literally
"0.0.0.0/0" and iptables interprets it as "anywhere".

> Iptables accept all these command lines but, when i request
> http://IP_INTERNET from an internet machine, it doesn't work.

You do realize that you cannot just type in those exact commands and
expect it to work. You need to add the rules at the appropriate places
in the chains. For example, I'd make sure the two NAT rules are *first*
in their respective NAT chains, and the port 80 rule needs to go early
enough in its chain that it will actually take effect. If you just type
in the iptables commands, it will place these rules last, and
potentially after another (more general) rule which has already denied
the packet (thus rendering the new rule useless).

Looking back at the original post, I'd suggest putting the first rule I
gave you as the first one in the "(4) FOWRARD chain rules" section of
your script, and the two new NAT rules before the existing rule in "(6)
POSTROUTING chain rules".

Getting the rules into the right place in a running firewall is easy
enough if you know what you're doing. If not, you can always resort to
editing the script and rebooting.

• Previous message: Jem Berkes: "Re: Why is tcp_syncookies off by default?"
• In reply to: JoeAley2003: "Re: HTTP SERVER ON FORWARDED MACHINE"
• Next in thread: Jose Maria Lopez Hernandez: "Re: HTTP SERVER ON FORWARDED MACHINE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]