* Confused about NAT and forwarding
@ 2005-02-22 22:24 Kirk
[not found] ` <421BB636.8050104@arcoscom.com>
0 siblings, 1 reply; 3+ messages in thread
From: Kirk @ 2005-02-22 22:24 UTC (permalink / raw)
To: netfilter
Hello,
I'm a bit confused about how NAT and forwarding works. Here's the situation:
I have a proxy server and a web server behind a firewall/gateway. The
proxy and the web server now have private addresses but they used to
have public addresses. Since I can't make changes to the DNS server, I
added those two old addresses to the firewall's eth0 interface and
then I added the following rules to iptables:
*filter
#http requests
-A FORWARD -i eth0 -o eth1 -p tcp --syn -d 192.168.0.3 --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp --syn -d 192.168.0.3 --dport 443 -j ACCEPT
#Ezproxy
-A FORWARD -i eth0 -o eth1 -p tcp --syn -d 192.168.0.2 --dport 2048 -j ACCEPT
COMMIT
*nat
#forwarding and NAT
-A POSTROUTING -o eth0 -j SNAT --to FIREWALL_IP
#web server
-I PREROUTING -i eth0 -p tcp -d OLD_WEB_IP --dport 80 -j DNAT --to
192.168.0.3:80
-I PREROUTING -i eth0 -p tcp -d OLD_WEB_IP --dport 443 -j DNAT --to
192.168.0.3:443
#Ezproxy
-I PREROUTING -i eth0 -p tcp -d PROXY_IP --dport 2048 -j DNAT --to
192.168.0.2:2048
COMMIT
The proxy server authenticates users by connecting to a database
that's not behind the firewall. I looked at the log files of the
database server and I noticed that the firewall's IP address is the
one that's showing up instead of the address of the proxy server.
I just read the NAT howto from netfilter.org and I guess this line the
responsible for that behavior.
-A POSTROUTING -o eth0 -j SNAT --to FIREWALL_IP
Is it possible to make requests for PROXY_IP go out with the PROXY_IP
address instead of the FIREWALL_IP?
If so, how can I do that? Or where do I find info about what I want to do?
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Confused about NAT and forwarding
@ 2005-02-22 23:48 Kirk
0 siblings, 0 replies; 3+ messages in thread
From: Kirk @ 2005-02-22 23:48 UTC (permalink / raw)
To: netfilter
Thanks for such quick replies!
>>PRIV_PROXY_IP=192.168.0.2
>>PUB_PROXY_IP=a.b.c.d
>>IPT=iptables
>>
>>$IPT -t nat -I POSTROUTING -s $PRIV_PROXY_IP -o eth0 -j SNAT --to
>>$PUB_PROXY_IP
I just tried this solution but now the proxy can't access the DNS
servers. I think I know what the problem is.
I'll try both suggestions tomorrow morning. Right now I have a bunch
of angry people calling my office because they can't connect to the
proxy server :)
Later.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Confused about NAT and forwarding
[not found] ` <421BB636.8050104@arcoscom.com>
@ 2005-02-23 21:24 ` Kirk
0 siblings, 0 replies; 3+ messages in thread
From: Kirk @ 2005-02-23 21:24 UTC (permalink / raw)
To: netfilter
> PRIV_PROXY_IP=192.168.0.2
> PUB_PROXY_IP=a.b.c.d
> IPT=iptables
>
> $IPT -t nat -I POSTROUTING -s $PRIV_PROXY_IP -o eth0 -j SNAT --to
> $PUB_PROXY_IP
>
I just want to let you guys know that this solution worked.
Thanks again.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-02-23 21:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-22 23:48 Confused about NAT and forwarding Kirk
-- strict thread matches above, loose matches on Subject: below --
2005-02-22 22:24 Kirk
[not found] ` <421BB636.8050104@arcoscom.com>
2005-02-23 21:24 ` Kirk
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.