Re: Protecting multiple webservers

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bob Tellefson <bob@zooid.com>
To: netfilter@lists.netfilter.org
Subject: Re: Protecting multiple webservers
Date: Wed, 12 Jan 2005 04:01:01 +0000	[thread overview]
Message-ID: <200501120401.01332.bob@zooid.com> (raw)
In-Reply-To: <15069645.1105491740310.JavaMail.rct@kale>

On Wednesday 12 January 2005 01:01, gui wrote:
> Hello,
>
> I work as a computer programmer for a small university and I was asked
> to set up a firewall to protect three Apache web servers.  Each server
> runs on its own machine, each server has its own name, public IP
> address and they all listen on port 80.
>
> After reading a few howto's, I came up with the following iptables
> rules (I won't list all of them):
>
> #www.server1.edu
> -A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 80 -j DNAT --to
> 192.168.0.2:80
>
> #www.server2.edu
> -A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 8080 -j DNAT --to
> 192.168.0.3:80
>
> Those rules work fine in the little network I created in my office.

Since your web servers have valid public IP addresses DNAT will not be needed. 

Just be sure that your FORWARD rules allow the required traffic through.  If 
your default FORWARD policy is DROP, add a line such as:

iptables -A FORWARD -p TCP -m multiport --dport 80,8080 -j ACCEPT

or you may wish to filter for each host like:

iptables -A FORWARD -p TCP -d x.x.x.103 --dport 80 -j ACCEPT
iptables -A FORWARD -p TCP -d x.x.x.104 --dport 8080 -J ACCEPT

Using the first example, you can have any number of hosts listening on ports 
80 and/or 8080 without firewall changes.  The second approach would, of 
course, require individual lines for each server you wish to open up.



-- 

Bob Tellefson
Java network application development & hosting

next      parent reply	other threads:[~2005-01-12  4:01 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <15069645.1105491740310.JavaMail.rct@kale>
2005-01-12  4:01 ` Bob Tellefson [this message]
2005-01-12 15:14   ` Protecting multiple webservers Maxime Ducharme
2005-01-12 15:37     ` Samuel Jean
2005-01-12 19:57   ` John A. Sullivan III
2005-01-19 22:35 gui
  -- strict thread matches above, loose matches on Subject: below --
2005-01-19 21:07 Hudson Delbert J Contr 61 CS/SCBN
2005-01-19 20:37 gui
2005-01-19 20:58 ` Jason Opperisano
2005-01-12  1:01 gui

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200501120401.01332.bob@zooid.com \
    --to=bob@zooid.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.