Greetings to all,

Here is the issue that I do not know how to resolve. There is a Debian
based internet gateway with iptables firewall.

There are 3 servers currently running, all 3 with up and running web
servers (apache, apache2 and IIS). How can I direct traffic from the
Internet to the web server that is not on gateway, but in the local
network? In addition, how can enable users from the internet to use
*all* 3 web servers at their discretion (for example, when user writes
www.mydomain.net/server1 - IIS on local IP x.x.x.y server pops out,
www.mydomain.net/server2 -apache2 server on local IP x.x.x.z pops out,
etc...)?

I hope I was clear enough. :)

TIA!

--
Everything will be okay
in the end.
If it's not okay
it's not the end!

Bubba a écrit :
> There are 3 servers currently running, all 3 with up and running web
> servers (apache, apache2 and IIS). How can I direct traffic from the
> Internet to the web server that is not on gateway, but in the local
> network? In addition, how can enable users from the internet to use
> *all* 3 web servers at their discretion (for example, when user writes
> www.mydomain.net/server1 - IIS on local IP x.x.x.y server pops out,
> www.mydomain.net/server2 -apache2 server on local IP x.x.x.z pops out,
> etc...)?

If you want to do it based on the URL, then you need to use Apache on
the gateway with mod_rewrite. Something like this :

RewriteEngine on
RewriteRule /server1/(.*) http://10.1.2.3/$1 [proxy,qsappend,last]
RewriteRule /server2/(.*) http://10.1.2.4/$1 [proxy,qsappend,last]
RewriteRule /server3/(.*) http://10.1.2.5/$1 [proxy,qsappend,last]

If you want to do it with iptables/netfilter then you could do something
like this :

iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 10.1.2.3:80
iptables -t nat -A PREROUTING -p tcp --dport 8081 -j DNAT --to 10.1.2.4:80
iptables -t nat -A PREROUTING -p tcp --dport 8082 -j DNAT --to 10.1.2.5:80

Cheers,

Nico


--
Nicolas Bouthors -=- Tel : 06 20 71 62 34 -=- Fax : 01 46 87 21 99
NBi SARL -=- http://nbi.fr -=- nbouthors@nbi.fr

Nicolas BOUTHORS's log on stardate 17 ožu 2008

> If you want to do it based on the URL, then you need to use Apache on
> the gateway with mod_rewrite. Something like this :
>
> RewriteEngine on
> RewriteRule /server1/(.*) http://10.1.2.3/$1 [proxy,qsappend,last]
> RewriteRule /server2/(.*) http://10.1.2.4/$1 [proxy,qsappend,last]
> RewriteRule /server3/(.*) http://10.1.2.5/$1 [proxy,qsappend,last]

I might try that one, thx.

> If you want to do it with iptables/netfilter then you could do
> something like this :
>
> iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 10.1.2.3:80
> iptables -t nat -A PREROUTING -p tcp --dport 8081 -j DNAT --to 10.1.2.4:80
> iptables -t nat -A PREROUTING -p tcp --dport 8082 -j DNAT --to 10.1.2.5:80

Here's my whole iptables:

#!/bin/sh
#Flush current rules
iptables=/sbin/iptables
$iptables -F
$iptables -t nat -F

#Setup default policies to handle unmatched traffic
$iptables -P INPUT ACCEPT
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD DROP

LAN="eth1"
WAN="ppp0"

#Then we lock our services so they only work from the LAN
$iptables -I INPUT 1 -i ${LAN} -j ACCEPT
$iptables -I INPUT 1 -i lo -j ACCEPT
$iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
$iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
$iptables -A INPUT -p UDP --dport 123 -i ${LAN} -j ACCEPT

#SSH access
$iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

#HTTP access
$iptables -A INPUT -p TCP --dport 80 -i ${WAN} -j ACCEPT

#Drop TCP / UDP packets to privileged ports
$iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
$iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

#NAT
$iptables -I FORWARD -i ${LAN} -d 192.168.1.0/255.255.255.0 -j DROP
$iptables -A FORWARD -i ${LAN} -s 192.168.1.0/255.255.255.0 -j ACCEPT
$iptables -A FORWARD -i ${WAN} -d 192.168.1.0/255.255.255.0 -j ACCEPT
$iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

#Port forward is OK!
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#Port forwarding
$iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i ${WAN} -j DNAT --to 192.168.1.2

I already tried with port forwarding similar to yours, but failed. Any
idea why? I did something like this:

$iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.1.252

however, regardless of that, I still get the web server from the
gateway when I try to connect from the internet to my domain.


--
Everything will be okay
in the end.
If it's not okay
it's not the end!