iptables & network setup design

iptables & network setup design

[Ryan Hamel]

I have another question.  I have been reading up about port forwarding
(using kernel 2.4.x) and am wondering.  If I had a web server within a
protected network (with a 192.168.0.x ip) then the MASQ server would have to
have the DNS related ip of the web server to get the http request correct?
Meaning that I can only service one Web server on the protected network
(using port 80)?  And the same for ftp?  My dilemma is this:
If I have 5 machines on my protected network (192.168.0.x) that need to use
(for instance) ftp, is it possible to allow the MASQ Server to be able to
handle some kind of request for each individual machine?  Or should I just
throw the machines outside the protected network?  Or should I set up some
kind of (internal) server that could handle the ftp with network shares to
the other machines?  Do any of these options sound feasible?

Re: iptables & network setup design

[Jeff Largent]

I havn't tried it quite like this so may not work.

On the firewall box /etc/hosts
192.168.1.2  www1.domain.com
192.168.1.3  www2.domain.com

in your dns setup for your domain.
firewall.domain.com   IN A     real.ip.address
www1.domain.com       IN A     ip.of firewall
www2.domain.com       IN A     ip.of.firewall

then do your port forwarding
iptables -t nat -A PREROUTING -p tcp -d www1.domain.com --dport 80 -i eth0 -j 
DNAT --to 192.168.1.2:80
iptables -t nat -A PREROUTING -p tcp -d www2.domain.com --dport 80 -i eth0 -j 
DNAT --to 192.168.1.3:80

Like I said don't know if this will work.

What I have done in the past is set up multiple address on the external
interface of the firewall box and then forward to the different internal
address based on the external ip they connect to.  But this requires a
valid ip for each internal host( one to one NAT ).  I don't know what the
limit for eth alias is for linux, so that may be a limiting factor.
You can do at least 5 for sure.

Jeff


Ryan Hamel wrote:
> I have another question.  I have been reading up about port forwarding
> (using kernel 2.4.x) and am wondering.  If I had a web server within a
> protected network (with a 192.168.0.x ip) then the MASQ server would have to
> have the DNS related ip of the web server to get the http request correct?
> Meaning that I can only service one Web server on the protected network
> (using port 80)?  And the same for ftp?  My dilemma is this:
> If I have 5 machines on my protected network (192.168.0.x) that need to use
> (for instance) ftp, is it possible to allow the MASQ Server to be able to
> handle some kind of request for each individual machine?  Or should I just
> throw the machines outside the protected network?  Or should I set up some
> kind of (internal) server that could handle the ftp with network shares to
> the other machines?  Do any of these options sound feasible?
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 


-- 
Jeff Largent                   ImageLinks, Inc.
Sr System Admin                Melbourne, Fl 32935
(321) 253-0011                 fax:(321) 253-5559
perl -e 'print unpack(u, "3=W=W+FEM86=E;&EN:W,N8V]M\"@``");'

Re: iptables & network setup design

[Raúl Gutiérrez Segalés]

How about usintg the program redir.



On Tue, 9 Apr 2002, Jeff Largent wrote:

> I havn't tried it quite like this so may not work.
>
> On the firewall box /etc/hosts
> 192.168.1.2  www1.domain.com
> 192.168.1.3  www2.domain.com
>
> in your dns setup for your domain.
> firewall.domain.com   IN A     real.ip.address
> www1.domain.com       IN A     ip.of firewall
> www2.domain.com       IN A     ip.of.firewall
>
> then do your port forwarding
> iptables -t nat -A PREROUTING -p tcp -d www1.domain.com --dport 80 -i eth0 -j
> DNAT --to 192.168.1.2:80
> iptables -t nat -A PREROUTING -p tcp -d www2.domain.com --dport 80 -i eth0 -j
> DNAT --to 192.168.1.3:80
>
> Like I said don't know if this will work.
>
> What I have done in the past is set up multiple address on the external
> interface of the firewall box and then forward to the different internal
> address based on the external ip they connect to.  But this requires a
> valid ip for each internal host( one to one NAT ).  I don't know what the
> limit for eth alias is for linux, so that may be a limiting factor.
> You can do at least 5 for sure.
>
> Jeff
>
>
> Ryan Hamel wrote:
> > I have another question.  I have been reading up about port forwarding
> > (using kernel 2.4.x) and am wondering.  If I had a web server within a
> > protected network (with a 192.168.0.x ip) then the MASQ server would have to
> > have the DNS related ip of the web server to get the http request correct?
> > Meaning that I can only service one Web server on the protected network
> > (using port 80)?  And the same for ftp?  My dilemma is this:
> > If I have 5 machines on my protected network (192.168.0.x) that need to use
> > (for instance) ftp, is it possible to allow the MASQ Server to be able to
> > handle some kind of request for each individual machine?  Or should I just
> > throw the machines outside the protected network?  Or should I set up some
> > kind of (internal) server that could handle the ftp with network shares to
> > the other machines?  Do any of these options sound feasible?
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
> >
>
>
> --
> Jeff Largent                   ImageLinks, Inc.
> Sr System Admin                Melbourne, Fl 32935
> (321) 253-0011                 fax:(321) 253-5559
> perl -e 'print unpack(u, "3=W=W+FEM86=E;&EN:W,N8V]M\"@``");'
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>