From: Jeff Largent <jlargent@imagelinks.com>
To: Ryan Hamel <Ryan_Hamel@student.uml.edu>
Cc: Linux-Admin <linux-admin@vger.kernel.org>
Subject: Re: iptables & network setup design
Date: Tue, 09 Apr 2002 10:58:53 -0400 [thread overview]
Message-ID: <3CB301AD.7060602@imagelinks.com> (raw)
In-Reply-To: NFBBJKIDOLLEKMBMCLFMMEFLCCAA.Ryan_Hamel@student.uml.edu
I havn't tried it quite like this so may not work.
On the firewall box /etc/hosts
192.168.1.2 www1.domain.com
192.168.1.3 www2.domain.com
in your dns setup for your domain.
firewall.domain.com IN A real.ip.address
www1.domain.com IN A ip.of firewall
www2.domain.com IN A ip.of.firewall
then do your port forwarding
iptables -t nat -A PREROUTING -p tcp -d www1.domain.com --dport 80 -i eth0 -j
DNAT --to 192.168.1.2:80
iptables -t nat -A PREROUTING -p tcp -d www2.domain.com --dport 80 -i eth0 -j
DNAT --to 192.168.1.3:80
Like I said don't know if this will work.
What I have done in the past is set up multiple address on the external
interface of the firewall box and then forward to the different internal
address based on the external ip they connect to. But this requires a
valid ip for each internal host( one to one NAT ). I don't know what the
limit for eth alias is for linux, so that may be a limiting factor.
You can do at least 5 for sure.
Jeff
Ryan Hamel wrote:
> I have another question. I have been reading up about port forwarding
> (using kernel 2.4.x) and am wondering. If I had a web server within a
> protected network (with a 192.168.0.x ip) then the MASQ server would have to
> have the DNS related ip of the web server to get the http request correct?
> Meaning that I can only service one Web server on the protected network
> (using port 80)? And the same for ftp? My dilemma is this:
> If I have 5 machines on my protected network (192.168.0.x) that need to use
> (for instance) ftp, is it possible to allow the MASQ Server to be able to
> handle some kind of request for each individual machine? Or should I just
> throw the machines outside the protected network? Or should I set up some
> kind of (internal) server that could handle the ftp with network shares to
> the other machines? Do any of these options sound feasible?
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
--
Jeff Largent ImageLinks, Inc.
Sr System Admin Melbourne, Fl 32935
(321) 253-0011 fax:(321) 253-5559
perl -e 'print unpack(u, "3=W=W+FEM86=E;&EN:W,N8V]M\"@``");'
next prev parent reply other threads:[~2002-04-09 14:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-04-09 14:39 iptables & network setup design Ryan Hamel
2002-04-09 14:58 ` Jeff Largent [this message]
2002-04-15 15:37 ` Raúl Gutiérrez Segalés
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3CB301AD.7060602@imagelinks.com \
--to=jlargent@imagelinks.com \
--cc=Ryan_Hamel@student.uml.edu \
--cc=linux-admin@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).