[LARTC] PAT HOW to - IPTABLES

[LARTC] PAT HOW to - IPTABLES

[Indunil Jayasooriya]

[-- Attachment #1.1: Type: text/plain, Size: 383 bytes --]

Hi,

I have a box running with iptables and iproute2. it has  3 ethernet cards.
One for the internet. another for LAN and yet another for DMZ.

@ DMZ ZONE I have 3 web servers. But I have only one real ip on my firewall.
Now , I want to forward port 80 to theese 3 web servers.

How can I do it?

I searched a lot from google. But, still no luck.


-- 
Thank you
Indunil Jayasooriya

[-- Attachment #1.2: Type: text/html, Size: 437 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] PAT HOW to - IPTABLES

[Alexandre J. Correa - Onda Internet]

you can use squid as reverse proxy ..

see cache_peer !!

squid can load balance between 3 servers and cache it !!

run squid on your box with real ip..

here you can see examples 
http://under-linux.org/7964-squid-atuando-como-proxy-reverso.html

(pt-br)


Indunil Jayasooriya wrote:
> Hi,
>
> I have a box running with iptables and iproute2. it has  3 ethernet 
> cards. One for the internet. another for LAN and yet another for DMZ.
>
> @ DMZ ZONE I have 3 web servers. But I have only one real ip on my 
> firewall. Now , I want to forward port 80 to theese 3 web servers.
>
> How can I do it?
>
> I searched a lot from google. But, still no luck.
>
>
> -- 
> Thank you
> Indunil Jayasooriya
> ------------------------------------------------------------------------
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>   


-- 
Sds.

Alexandre Jeronimo Correa

Onda Internet - http://www.ondainternet.com.br
OPinguim Hosting - http://www.opinguim.net

Linux User ID #142329

UNOTEL S/A - http://www.unotel.com.br

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] PAT HOW to - IPTABLES

[Indunil Jayasooriya]

[-- Attachment #1.1: Type: text/plain, Size: 460 bytes --]

>
>
>
> see cache_peer !!
>
> squid can load balance between 3 servers and cache it !!
>
> run squid on your box with real ip..
>
> Thanks for your quick answer. I know about reverse proxy. I wanted to know
> that without squid, whether iptables it self can handle this situation.


Suppose, I have 3  mail servers @ DMZ zone with one real ip. the situation
as before?

in that case, What can I do?


Hope to hear form you.


-- 
Thank you
Indunil Jayasooriya

[-- Attachment #1.2: Type: text/html, Size: 709 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] PAT HOW to - IPTABLES

[Alex Samad]

[-- Attachment #1.1: Type: text/plain, Size: 1165 bytes --]

On Mon, Dec 10, 2007 at 04:09:52PM +0530, Indunil Jayasooriya wrote:
> >
> >
> >
> > see cache_peer !!
> >
> > squid can load balance between 3 servers and cache it !!
> >
> > run squid on your box with real ip..
> >
> > Thanks for your quick answer. I know about reverse proxy. I wanted to know
> > that without squid, whether iptables it self can handle this situation.
> 
> 
> Suppose, I have 3  mail servers @ DMZ zone with one real ip. the situation
> as before?
> 
> in that case, What can I do?
your could use exim/postfix and route the mail to the right server, but I guess 
you are trying to find out how to have port 25 on the real ip nat'ed to one of 
the 3 dmz'ed ip based upon the destination mail address

short answer you can't as far as I know, iptables only looks at src ip / src 
port & dest ip/dest port.  You could write your own plugin module to look into 
the tcp stream.

> 
> 
> Hope to hear form you.
> 
> 
> -- 
> Thank you
> Indunil Jayasooriya

> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] PAT HOW to - IPTABLES

[Radek 'Goblin' Pieczonka]

>> Suppose, I have 3  mail servers @ DMZ zone with one real ip. the situation
>> as before?
>>
>> in that case, What can I do?
>>     
> your could use exim/postfix and route the mail to the right server, but I guess 
> you are trying to find out how to have port 25 on the real ip nat'ed to one of 
> the 3 dmz'ed ip based upon the destination mail address
>
> short answer you can't as far as I know, iptables only looks at src ip / src 
> port & dest ip/dest port.  You could write your own plugin module to look into 
> the tcp stream.
>   

based upon destination email address/domain could be done by postfix and 
transports for selected mail/domain to selected server. but there is 
also a possibility of load balancing and failover for set of domains 
with all servers working with all the domains for HA and flexibility of 
computing power, then id say take a look at keepalived for both those 
features. for http traffic its actually the same, and also you can 
consider apache reverse proxy feature.

-- 
Radek aka Goblin
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] PAT HOW to - IPTABLES

[Alex Samad]

[-- Attachment #1.1: Type: text/plain, Size: 1556 bytes --]

On Tue, Dec 11, 2007 at 12:19:22AM +0100, Radek 'Goblin' Pieczonka wrote:
>
>>> Suppose, I have 3  mail servers @ DMZ zone with one real ip. the situation
>>> as before?
>>>
>>> in that case, What can I do?
>>>     
>> your could use exim/postfix and route the mail to the right server, but I 
>> guess you are trying to find out how to have port 25 on the real ip nat'ed 
>> to one of the 3 dmz'ed ip based upon the destination mail address
>>
>> short answer you can't as far as I know, iptables only looks at src ip / 
>> src port & dest ip/dest port.  You could write your own plugin module to 
>> look into the tcp stream.
>>   
>
> based upon destination email address/domain could be done by postfix and 
> transports for selected mail/domain to selected server. but there is also a 
> possibility of load balancing and failover for set of domains with all 
> servers working with all the domains for HA and flexibility of computing 
> power, then id say take a look at keepalived for both those features. for 
> http traffic its actually the same, and also you can consider apache 
> reverse proxy feature.
he only has 1 real ip

[silly idea]
of course could be really tricky and use an ipv6 to ipv4  address and name all 
the dmz servers with ipv6 (in dns as well), really relying upon clients to be 
ipv6 enable
[/silly idea]

>
> -- 
> Radek aka Goblin
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] PAT HOW to - IPTABLES

[Grant Taylor]

On 12/10/07 04:20, Indunil Jayasooriya wrote:
> @ DMZ ZONE I have 3 web servers. But I have only one real ip on my 
> firewall. Now , I want to forward port 80 to theese 3 web servers.
> 
> How can I do it?

Like someone else suggested, run a reverse proxy on one system.  You 
could either run it on the firewall or a fourth system in the DMZ so 
that you are not running it on the firewall.  Use this reverse proxy to 
intelligently redirect queries that come in to it to the correct back 
end server.

In short, you are forwarding HTTP traffic to an application layer 
gateway that is intelligent enough to pick the proper back end system to 
handle the requests.  For SMTP, you would use something like Sendmail 
with Mailertable.

With regards to others comments about the single IP and not being able 
to communicate with the internal servers, you can use private IP 
addresses in your DMZ with out a problem so long as they are all hidden 
from the world by your NATing router such that everyone would think that 
all your services are coming off of your one single external IP.  You 
will need to pay attention to SMTP Hello names as well.

Also be aware that you are having a lot depend on connection tracking on 
the NATing router, thus have a finite number of resources that are being 
shared by multiple systems.  If it is still in place you may want to 
consider running stateless nat (IPRoute2) for your traffic coming in to 
said systems so that that traffic will not exceed conntrack.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc