From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jeff Largent Subject: Re: iptables & network setup design Date: Tue, 09 Apr 2002 10:58:53 -0400 Sender: linux-admin-owner@vger.kernel.org Message-ID: <3CB301AD.7060602@imagelinks.com> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit List-Id: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Ryan Hamel Cc: Linux-Admin I havn't tried it quite like this so may not work. On the firewall box /etc/hosts 192.168.1.2 www1.domain.com 192.168.1.3 www2.domain.com in your dns setup for your domain. firewall.domain.com IN A real.ip.address www1.domain.com IN A ip.of firewall www2.domain.com IN A ip.of.firewall then do your port forwarding iptables -t nat -A PREROUTING -p tcp -d www1.domain.com --dport 80 -i eth0 -j DNAT --to 192.168.1.2:80 iptables -t nat -A PREROUTING -p tcp -d www2.domain.com --dport 80 -i eth0 -j DNAT --to 192.168.1.3:80 Like I said don't know if this will work. What I have done in the past is set up multiple address on the external interface of the firewall box and then forward to the different internal address based on the external ip they connect to. But this requires a valid ip for each internal host( one to one NAT ). I don't know what the limit for eth alias is for linux, so that may be a limiting factor. You can do at least 5 for sure. Jeff Ryan Hamel wrote: > I have another question. I have been reading up about port forwarding > (using kernel 2.4.x) and am wondering. If I had a web server within a > protected network (with a 192.168.0.x ip) then the MASQ server would have to > have the DNS related ip of the web server to get the http request correct? > Meaning that I can only service one Web server on the protected network > (using port 80)? And the same for ftp? My dilemma is this: > If I have 5 machines on my protected network (192.168.0.x) that need to use > (for instance) ftp, is it possible to allow the MASQ Server to be able to > handle some kind of request for each individual machine? Or should I just > throw the machines outside the protected network? Or should I set up some > kind of (internal) server that could handle the ftp with network shares to > the other machines? Do any of these options sound feasible? > > - > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- Jeff Largent ImageLinks, Inc. Sr System Admin Melbourne, Fl 32935 (321) 253-0011 fax:(321) 253-5559 perl -e 'print unpack(u, "3=W=W+FEM86=E;&EN:W,N8V]M\"@``");'