multiple webservers behind iptables

multiple webservers behind iptables

[Raul I. Becette]

Hello list

This is my first post.
I am in charge of a LAN connected to internet through a firewall box 
PIII 500MHz with iptables 1.2.10.

There are different internal webservers that I don't adminnister and are 
located physically in different parts of the building.
There is an internal DNS server which I administer to resolve internal 
www queries.

My problem is that from the outside I cannot access those webservers 
when I type www.xxx.unp.edu.ar (xxx being the name of the server).
My net schema is the following


                                     INTERNET
Mail Relay            Main Web Server             Router


-------------------------Firewall--------------------------------


POP Server         Proxy         Webserver1      Webserver2
                                         LAN

My question is how can I use iptables rules to be able to access those 
servers from the outside.

Any info you need just ask

Thank you for your time

-- 


-----------------------------------------------------------------
Raul I. Becette
E-mail: raulbecette@unp.edu.ar
REPAC, Red Patagonica de  Comunicaciones
Univ. Nac. de la Patagonia San Juan Bosco
Ciudad Universitaria - Km.4.
9000 - Comodoro Rivadavia - Chubut
Tel/Fax : (0297) - 4550073
------------------------------------------------------------------

Re: multiple webservers behind iptables

[Jason Opperisano]

On Wed, 2005-02-09 at 13:24, Raul I. Becette wrote:
> Hello list
> 
> This is my first post.
> I am in charge of a LAN connected to internet through a firewall box 
> PIII 500MHz with iptables 1.2.10.
> 
> There are different internal webservers that I don't adminnister and are 
> located physically in different parts of the building.
> There is an internal DNS server which I administer to resolve internal 
> www queries.
> 
> My problem is that from the outside I cannot access those webservers 
> when I type www.xxx.unp.edu.ar (xxx being the name of the server).
> My net schema is the following

um--not to be silly, but does www.xxx.unp.edu.ar resolve to an IP
address externally?

>                                      INTERNET
> Mail Relay            Main Web Server             Router
> 
> 
> -------------------------Firewall--------------------------------
> 
> 
> POP Server         Proxy         Webserver1      Webserver2
>                                          LAN
> 
> My question is how can I use iptables rules to be able to access those 
> servers from the outside.

depends on whether you need to use NAT to make the servers accessible
from the Internet (i will assume you do not).  for each webserver IP,
add a rule like:

  iptables -A FORWARD -i $EXT_IF -p tcp --syn -d $WEB_SRV_IP \
    --dport 80 -j ACCEPT

this assumes that somewhere above this rule you have:

  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-j

--
"Me fail English? That's unpossible."
	--The Simpsons

RE: multiple webservers behind iptables

[Hudson Delbert J Contr 61 CS/SCBN]

raul,

edu.ar doesn't resolve so none of the rest of the fqdn will either.

the domain doesnt even resolve...whois from internic.net reports
that the edu.ar subdomain doesn exist or is lame.
Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for domain "EDU.AR".

>>> Last update of whois database: Wed, 9 Feb 2005 07:51:57 EST <<<

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Jason
Opperisano
Sent: Wednesday, February 09, 2005 2:45 PM
To: netfilter@lists.netfilter.org
Subject: Re: multiple webservers behind iptables


On Wed, 2005-02-09 at 13:24, Raul I. Becette wrote:
> Hello list
> 
> This is my first post.
> I am in charge of a LAN connected to internet through a firewall box 
> PIII 500MHz with iptables 1.2.10.
> 
> There are different internal webservers that I don't adminnister and are 
> located physically in different parts of the building.
> There is an internal DNS server which I administer to resolve internal 
> www queries.
> 
> My problem is that from the outside I cannot access those webservers 
> when I type www.xxx.unp.edu.ar (xxx being the name of the server).
> My net schema is the following

um--not to be silly, but does www.xxx.unp.edu.ar resolve to an IP
address externally?

>                                      INTERNET
> Mail Relay            Main Web Server             Router
> 
> 
> -------------------------Firewall--------------------------------
> 
> 
> POP Server         Proxy         Webserver1      Webserver2
>                                          LAN
> 
> My question is how can I use iptables rules to be able to access those 
> servers from the outside.

depends on whether you need to use NAT to make the servers accessible
from the Internet (i will assume you do not).  for each webserver IP,
add a rule like:

  iptables -A FORWARD -i $EXT_IF -p tcp --syn -d $WEB_SRV_IP \
    --dport 80 -j ACCEPT

this assumes that somewhere above this rule you have:

  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-j

--
"Me fail English? That's unpossible."
	--The Simpsons

Re: multiple webservers behind iptables

[Raphael Jacquot]

Raul I. Becette wrote:
> Hello list
> 
> This is my first post.
> I am in charge of a LAN connected to internet through a firewall box 
> PIII 500MHz with iptables 1.2.10.
> 
> There are different internal webservers that I don't adminnister and are 
> located physically in different parts of the building.
> There is an internal DNS server which I administer to resolve internal 
> www queries.
> 
> My problem is that from the outside I cannot access those webservers 
> when I type www.xxx.unp.edu.ar (xxx being the name of the server).
> My net schema is the following
> 
> 
>                                     INTERNET
> Mail Relay            Main Web Server             Router
> 
> 
> -------------------------Firewall--------------------------------
> 
> 
> POP Server         Proxy         Webserver1      Webserver2
>                                         LAN

depending on if your multiple web servers have a public IP or not, you 
may have to set up a proxy to redirect the requests to the right box

> My question is how can I use iptables rules to be able to access those 
> servers from the outside.
> 
> Any info you need just ask
> 
> Thank you for your time
> 

Re: multiple webservers behind iptables (SOLVED)

[Raul I. Becette]

Raul I. Becette wrote:

> Hello list
>
> This is my first post.
> I am in charge of a LAN connected to internet through a firewall box 
> PIII 500MHz with iptables 1.2.10.
>
> There are different internal webservers that I don't adminnister and 
> are located physically in different parts of the building.
> There is an internal DNS server which I administer to resolve internal 
> www queries.
>
> My problem is that from the outside I cannot access those webservers 
> when I type www.xxx.unp.edu.ar (xxx being the name of the server).
> My net schema is the following
>
>
>                                     INTERNET
> Mail Relay            Main Web Server             Router
>
>
> -------------------------Firewall--------------------------------
>
>
> POP Server         Proxy         Webserver1      Webserver2
>                                         LAN
>
> My question is how can I use iptables rules to be able to access those 
> servers from the outside.
>
> Any info you need just ask
>
> Thank you for your time
>
Hello list

I solved the problem installing squid on the firewall and configuring it 
as a reverse proxy as described in 
http://squid.visolve.com/squid/reverseproxy.htm

The only line I had to add to my firewall script is in the INPUT chain 
allowing incoming connections on port 80 on the public interface.

Also, every www.xxx.unp.edu.ar on my external DNS server points to my 
firewall public IP.

Thanks everyone for your help

-- 


-----------------------------------------------------------------
Raul I. Becette
E-mail: raulbecette@unp.edu.ar
REPAC, Red Patagonica de  Comunicaciones
Univ. Nac. de la Patagonia San Juan Bosco
Ciudad Universitaria - Km.4.
9000 - Comodoro Rivadavia - Chubut
Tel/Fax : (0297) - 4550073
------------------------------------------------------------------