Re: local forwarding(?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2003-01-17 at 13:15, cc wrote:
> Hi,
> 
> I finally got the bridge working and so far, 
> things look ok.  
> 
> >From the outside, I can goto the website.  That's
> no problem.  The problem is for local machines
> going to http://www.mydomain.com/, the firewall
> doesn't seem to be redirecting it properly.
> LAN users have to use http://192.168.11.10/ to
> access the website instead of the www.mydomain.com.
> 
> I understand that the actual ip address skips
> the firewall and goes directly to the machine.
> >From my boss' point of view(totally ignorant
> that 192.168.11.10 = www.mydomain.com), he
> doesn't like that.  So I'm hoping that he
> can access (locally) www.mydomain.com.
> 
> So far my firewall script (the lines pertaining
> to the www port) is as follows:
> 
> $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 x.x.x.x \
>       --dport 80 -j DNAT --to 192.168.10.11
> $IPTABLES -A FORWARD -p tcp -i eth0 -d 192.168.10.11 \
>       --dport 80 -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -i eth0 --dport 80 -j DROP
> 
> (I'm not entirely sure about that last item.  It looks
> strangely invalid...but I could be wrong.  I don't
> even think I should have that there.. am I right?)
Depends on the default POLICY for your FORWARD chain. If the default
policy is to drop, then you don't need it.

> 
> If all my LAN ips are of the 192.168.10.0 host, 
> and the web server is 192.168.10.11, how do I
> get the LAN clients to go to www.mydomain.com and
> have the firewall redirect the packets to 192.168.10.11?
> 
Is the firewall the gateway to the internet for your users?

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -d
www.mydomain.com -j REDIRECT --to-destination 192.168.10.11:80

That should work (eth0 is your internal interface, right?) ...

Of course you also need the forwarding rules:

iptables -A FORWARD -p tcp --dport 80 -d 192.168.1.11 -j ACCEPT
iptables -A FORWARD -p tcp --sport 80 -s 192.168.1.11 -j ACCEPT

These are very wide open rules. You might want to add the -i and maybe
state checking...

> As you probably can figure out, I'm a little confused. 
> 
> Any help appreciated
> 
-- 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(  Raymond Leach                       )
 ) Knowledge Factory                  (
(                                      )
 ) Tel: +27 11 445 8100               (
(  Fax: +27 11 445 8101                )
 )                                    (
(  http://www.knowledgefactory.co.za/  )
 ) http://www.saptg.co.za/            (
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   o                                o
    o                              o
        .--.                  .--.
       | o_o|                |o_o |
       | \_:|                |:_/ |
      / /   \\              //   \ \
     ( |     |)            (|     | )
     /`\_   _/'\          /'\_   _/`\
     \___)=(___/          \___)=(___/

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux