From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: "stand-alone" web server
Date: Tue, 11 Jul 2006 16:19:02 -0500 [thread overview]
Message-ID: <44B415C6.8040703@riverviewtech.net> (raw)
In-Reply-To: <c39d9d00714b2.714b2c39d9d00@southeast.rr.com>
KSCOTT9@triad.rr.com wrote:
> I am trying to set up a "stand-alone" internet lab environment where my
> web server will be on the internet side of a router serving up a
> training website. The clients will only be able to access those web
> pages, not the "Real" internet. It would best if users were routed to
> that web page regardless of whatever internet address they entered
> (except for server management screens). I'm thinking the following:
You may run in to a problem with your web server serving pages like you are wanting it to. See below.
> I'm think maybe appropriate entry(s) in iptables will do this but I am
> not quite sure how to proceed. I think I need something like:
>
> iptables -A PREROUTING -p tcp -dport 80 -j REDIRECT --to-ports 80
> # web server
> iptables -A PREROUTING -p tcp -dport 8081 -j REDIRECT --to-ports 8081
> # mgmt server
> The two server need to be configured to answer on those ports
You may need to SNAT as well. I have done this before, but it has been a while and I don't recall if I had to SNAT at all. Basically the reason you would need to SNAT would be because the client computers sent a request to some server on the internet. Your firewall redirected them by altering the target IP of the packet to be your local web server. So your local web server will respond directly to your clients. Your clients will not know who or why this person is offering them information that they did not ask for. If you SNAT your local web server will send the traffic back to your firewall (even if it's the same system) which will un-DNAT the traffic back to your clients. Your clients will now think that they got a reply from the server that they asked for data from.
You will also need to configure your web server's default site and page to be the page that you want people to see when they access what ever it is they access. I.e. www.cnn.com and www.msn.com will really bring back your local default site and pages. I would also recommend that you force your server to return a 200 series code even on the 404 page. You will get a 404 when you ask for http://www.cnn.com/<bla>/<bla>/<bla>.<ext> because your server does not have that page to serve. The 200 ""error code will help most browsers render what you want them to verses a 404 error page. I would also recommend that you set the page expire time to be 1 second, or there abouts. This will prevent client systems from caching your redirect page with a URL that it should not do so with.
By the way, this is really much easier than it sounds.
Grant. . . .
next prev parent reply other threads:[~2006-07-11 21:19 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-11 20:30 "stand-alone" web server KSCOTT9
2006-07-11 21:19 ` Taylor, Grant [this message]
2006-07-12 14:33 ` Martijn Lievaart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44B415C6.8040703@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.