Hello Protecting your Apache servers with iptables is a good idea. In order to use the FORWARD rule you must coordinate with your ISP (or IT department) so they route packets to your Apache web servers trought a precise IP (which will be the IP of the firewall). The idea of DNAT here isnt bad since you do not need the ISP intervention. The IP will be mapped to the firewall, so users wont see the difference since they are accessing this IP already (no need to change DNS information). DNAT makes the firewall invisible and allows packet filtering like FORWARDing. You may then map each external IPs on the firewall and DNAT each external IP to an internal IP. Obvisouly you will adjust Apache servers IP to internal IPs. To limit iptables modification, add each external IPs to the rules and map them to internal IPs. If you want to add other servers, place them in the good internal IP space. If you have new IPs, you will have to modify iptables. I do not think you can automagically forward packets, DNAT module allows multiple hosts in to --to-destination parameter, but hosts will be used at random ( see http://iptables-tutorial.frozentux.net/iptables-tutorial.html#DNATTARGET ) Someone correct me if I'm wrong Hope that helps Have a nice day Maxime Ducharme Programmeur / Spécialiste en sécurité réseau ----- Original Message ----- From: "Bob Tellefson" <bob@xxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Tuesday, January 11, 2005 11:01 PM Subject: Re: Protecting multiple webservers > On Wednesday 12 January 2005 01:01, gui wrote: > > Hello, > > > > I work as a computer programmer for a small university and I was asked > > to set up a firewall to protect three Apache web servers. Each server > > runs on its own machine, each server has its own name, public IP > > address and they all listen on port 80. > > > > After reading a few howto's, I came up with the following iptables > > rules (I won't list all of them): > > > > #www.server1.edu > > -A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 80 -j DNAT --to > > 192.168.0.2:80 > > > > #www.server2.edu > > -A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 8080 -j DNAT --to > > 192.168.0.3:80 > > > > Those rules work fine in the little network I created in my office. > > Since your web servers have valid public IP addresses DNAT will not be needed. > > Just be sure that your FORWARD rules allow the required traffic through. If > your default FORWARD policy is DROP, add a line such as: > > iptables -A FORWARD -p TCP -m multiport --dport 80,8080 -j ACCEPT > > or you may wish to filter for each host like: > > iptables -A FORWARD -p TCP -d x.x.x.103 --dport 80 -j ACCEPT > iptables -A FORWARD -p TCP -d x.x.x.104 --dport 8080 -J ACCEPT > > Using the first example, you can have any number of hosts listening on ports > 80 and/or 8080 without firewall changes. The second approach would, of > course, require individual lines for each server you wish to open up. > > > > -- > > Bob Tellefson > Java network application development & hosting >
