Apache virtualhost not working behind firewall.

All of lore.kernel.org
 help / color / mirror / Atom feed

* Apache virtualhost not working behind firewall.
@ 2002-12-20  1:39 Chip Upsal
  2002-12-20  3:54 ` Matthew Hellman
  2002-12-20  5:33 ` Joel Newkirk
  0 siblings, 2 replies; 3+ messages in thread
From: Chip Upsal @ 2002-12-20  1:39 UTC (permalink / raw)
  To: netfilter

I have a windows 2000 server running apache 2.0.43 with virtual hosts 
behind an iptables firewall doing NAT.
I am running iptables v1.2.5 on a redhat 7.3 server.

My nat and fowarding rules look like:

INET_IP="216.184.9.5"
#HTTP_IP="216.184.9.6"
PWWEB_IP="216.184.9.30"
PWODBC_IP="216.184.9.29"
INET_IFACE="eth2"

LAN_IP="192.168.1.15"
LAN_IP_RANGE="192.168.1.0/24"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth0"


DMZ_PWWEB_IP="192.168.0.2"
DMZ_PWSQL_IP="192.168.0.3"
DMZ_PWODBC_IP="192.168.0.4"
DMZ_IP="192.168.0.1"
DMZ_IFACE="eth1"


$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT

#
# PWWEB
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_PWWEB_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_PWWEB_IP \
-j icmp_packets

#
# PWODBC
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_PWODBC_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d 
$DMZ_PWODBC_IP \
-j icmp_packets

#
# PWWEB
#
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $PWWEB_IP 
--dport 80 \
-j DNAT --to-destination $DMZ_PWWEB_IP

$IPTABLES -t nat -A PREROUTING -p ICMP -i $INET_IFACE -d $PWWEB_IP \
-j DNAT --to-destination $DMZ_PWWEB_IP

#
# PWODBC
#
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $PWODBC_IP 
--dport 80 \
-j DNAT --to-destination $DMZ_PWODBC_IP

$IPTABLES -t nat -A PREROUTING -p ICMP -i $INET_IFACE -d $PWODBC_IP \
-j DNAT --to-destination $DMZ_PWOBDC_IP


The problem....
When the server is connected directly to the internet all works well. 
However, when it is behind the firewall the virtualhost are not working 
(you can only access the default web site.

Furthermore i am getting the following errors when starting iptables;

[root@iptables init.d]# ./iptables restart
Flushing all current rules and user defined chains:        [  OK  ]
Clearing all current rules and user defined chains:        [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
iptables v1.2.5: Unknown arg `--to-destination'
Try `iptables -h' or 'iptables --help' for more information.
                                                            [  OK  ]


Any ideas on a solution would be most appriciated.


Chip



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Apache virtualhost not working behind firewall.
  2002-12-20  1:39 Apache virtualhost not working behind firewall Chip Upsal
@ 2002-12-20  3:54 ` Matthew Hellman
  2002-12-20  5:33 ` Joel Newkirk
  1 sibling, 0 replies; 3+ messages in thread
From: Matthew Hellman @ 2002-12-20  3:54 UTC (permalink / raw)
  To: Chip Upsal, netfilter

> INET_IP="216.184.9.5"
> #HTTP_IP="216.184.9.6"
> PWWEB_IP="216.184.9.30"
> PWODBC_IP="216.184.9.29"
> INET_IFACE="eth2"
>
> LAN_IP="192.168.1.15"
> LAN_IP_RANGE="192.168.1.0/24"
> LAN_BCAST_ADRESS="192.168.1.255"
> LAN_IFACE="eth0"
>
> DMZ_PWWEB_IP="192.168.0.2"
> DMZ_PWSQL_IP="192.168.0.3"
> DMZ_PWODBC_IP="192.168.0.4"
> DMZ_IP="192.168.0.1"
> DMZ_IFACE="eth1"
>
> $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
> $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
> --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
> $IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT

These rules are pretty generous (well, except for nodes on your
$LAN_IFACE...which aren't allowed to use the Internet at all?...is that a
typo?).  You're allowing the firewall to forward packets unfiltered from the
DMZ to anywhere? Why even have a DMZ?
If you want to be a little more secure you could do something like this
instead:

$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $LAN_IFACE -m state --state NEW -j ACCEPT

and then create rules only for NEW connections you want to allow in on
either $INET_IFACE or $DMZ_IFACE. For example:
$iptables -A FORWARD -m state --state NEW -i $INET_IFACE -p tcp -d
$DMZ_PWWEB_IP --dport 80 -j ACCEPT

> #
> # PWWEB
> #
> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_PWWEB_IP
\
> --dport 80 -j allowed
> $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_PWWEB_IP
\
> -j icmp_packets
> #
> # PWODBC
> #
> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_PWODBC_IP
\
> --dport 80 -j allowed
> $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d
> $DMZ_PWODBC_IP \
> -j icmp_packets
> #
> # PWWEB
> #
> $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $PWWEB_IP
> --dport 80 \
> -j DNAT --to-destination $DMZ_PWWEB_IP

I think this is your problem. I could look at the man pages to figure out if
that syntax is also correct but I'm too lazy;-)...it's usually done like
this:
$iptables -t nat -A PREROUTING -i $INET_IFACE -p tcp -d $PWWEB_IP --dport
80 -j DNAT --to $DMZ_PWWEB_IP

Goodluck!

Matt

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Apache virtualhost not working behind firewall.
  2002-12-20  1:39 Apache virtualhost not working behind firewall Chip Upsal
  2002-12-20  3:54 ` Matthew Hellman
@ 2002-12-20  5:33 ` Joel Newkirk
  1 sibling, 0 replies; 3+ messages in thread
From: Joel Newkirk @ 2002-12-20  5:33 UTC (permalink / raw)
  To: Chip Upsal, netfilter

On Thursday 19 December 2002 08:39 pm, Chip Upsal wrote:
> I have a windows 2000 server running apache 2.0.43 with virtual hosts
> behind an iptables firewall doing NAT.
> I am running iptables v1.2.5 on a redhat 7.3 server.

> # PWWEB
> #
> $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $PWWEB_IP
> --dport 80 \
> -j DNAT --to-destination $DMZ_PWWEB_IP
>
> $IPTABLES -t nat -A PREROUTING -p ICMP -i $INET_IFACE -d $PWWEB_IP \
> -j DNAT --to-destination $DMZ_PWWEB_IP

> The problem....
> When the server is connected directly to the internet all works well.
> However, when it is behind the firewall the virtualhost are not
> working (you can only access the default web site.
>
> Furthermore i am getting the following errors when starting iptables;
>
> [root@iptables init.d]# ./iptables restart
> Flushing all current rules and user defined chains:        [  OK  ]
> Clearing all current rules and user defined chains:        [  OK  ]
> Applying iptables firewall rules:                          [  OK  ]
> iptables v1.2.5: Unknown arg `--to-destination'
> Try `iptables -h' or 'iptables --help' for more information.

My money is on a failure to load the nat module. Try "insmod iptable_nat"
from a root console, then restart.  If that's it, just put it somewhere 
at the top of your script.

j



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2002-12-20  5:33 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-12-20  1:39 Apache virtualhost not working behind firewall Chip Upsal
2002-12-20  3:54 ` Matthew Hellman
2002-12-20  5:33 ` Joel Newkirk

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.