All of lore.kernel.org
 help / color / mirror / Atom feed
From: Grant Taylor <gtaylor@riverviewtech.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] PAT HOW to - IPTABLES
Date: Tue, 11 Dec 2007 15:31:26 +0000	[thread overview]
Message-ID: <475EAD4E.3000500@riverviewtech.net> (raw)
In-Reply-To: <7ed6b0aa0712100220n57ea0e54x628d539621cb6b35@mail.gmail.com>

On 12/10/07 04:20, Indunil Jayasooriya wrote:
> @ DMZ ZONE I have 3 web servers. But I have only one real ip on my 
> firewall. Now , I want to forward port 80 to theese 3 web servers.
> 
> How can I do it?

Like someone else suggested, run a reverse proxy on one system.  You 
could either run it on the firewall or a fourth system in the DMZ so 
that you are not running it on the firewall.  Use this reverse proxy to 
intelligently redirect queries that come in to it to the correct back 
end server.

In short, you are forwarding HTTP traffic to an application layer 
gateway that is intelligent enough to pick the proper back end system to 
handle the requests.  For SMTP, you would use something like Sendmail 
with Mailertable.

With regards to others comments about the single IP and not being able 
to communicate with the internal servers, you can use private IP 
addresses in your DMZ with out a problem so long as they are all hidden 
from the world by your NATing router such that everyone would think that 
all your services are coming off of your one single external IP.  You 
will need to pay attention to SMTP Hello names as well.

Also be aware that you are having a lot depend on connection tracking on 
the NATing router, thus have a finite number of resources that are being 
shared by multiple systems.  If it is still in place you may want to 
consider running stateless nat (IPRoute2) for your traffic coming in to 
said systems so that that traffic will not exceed conntrack.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

      parent reply	other threads:[~2007-12-11 15:31 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-12-10 10:32 [LARTC] PAT HOW to - IPTABLES Indunil Jayasooriya
2007-12-10 10:33 ` Alexandre J. Correa - Onda Internet
2007-12-10 10:51 ` Indunil Jayasooriya
2007-12-10 21:29 ` Alex Samad
2007-12-10 23:19 ` Radek 'Goblin' Pieczonka
2007-12-11  8:16 ` Alex Samad
2007-12-11 15:31 ` Grant Taylor [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=475EAD4E.3000500@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=lartc@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.