[From nobody Sat Jan 8 01:35:36 2005 Subject: Re: Iptables and portforwarding to an internal webserver. From: Chris Fuhrman <chris.fuhrman@tfcci.com> To: ken@alpha2.com Cc: colug@colg.net In-Reply-To: <007801c44e37$9aab4560$690aa8c0@alpha2.com> References: <007801c44e37$9aab4560$690aa8c0@alpha2.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-Y0tIdt9uAP4fuupgii03" Organization: Twenty-First Century Communications Message-Id: <1086957934.2592.55.camel@icestorm.tfcc.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 (1.4.5-7) Date: Fri, 11 Jun 2004 08:45:35 -0400 --=-Y0tIdt9uAP4fuupgii03 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Howdy, I ran into this problem when I was running a webserver behind an OpenBSD-based firewall. A solution I came across in the OpenBSD FAQ was the following: 1) Set up an entry in /etc/inetd.conf like this: 127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w \ 20 192.168.1.10 80 =20 This sets up a listener on localhost port 5000 that will=20 automatically redirect to 192.168.1.10's web server. Note that nc (netcat) doesn't seem to be included with Fedora. There are RPMs=20 available via http://rpm.pbone.net If you're using xinetd, create the appropriate file in /etc/xinetd.d/ 2) Set up an iptables entry to redirect all traffic bound from your=20 internal ip address space to your OUTSIDE web server's IP address=20 and have it redirect to your firewall's internal port 5000. Unfortunately, I'm not up on my iptable-ese so I'm not certain of the exact syntax. Perhaps something like this: $IPT -A FORWARD -p TCP -i ${INTERNAL_INTERFACE} -d ${NET} -dport 80 \ --to 127.0.0.1:5000 Restart inetd/xinetd and iptables and give it a whirl. Cheers! On Wed, 2004-06-09 at 11:36, Ken Bradford wrote: > I've run into a snag forwarding ports 80 & 443 to an internal webserver f= or > a client. I _thought_ everything was fine. I could access their webserver > from my office just fine, but it turns out they can't access it internall= y > by going to the public address. Were using Firestarter 0.8.2 (it's a RH7.= 2 > box). The pertinent code is: >=20 > $IPT -A FORWARD -p TCP -d 192.168.20.5 --dport 80 -j ACCEPT > $IPT -A PREROUTING -t nat -p TCP -d $NET --dport 80 -j DNAT --to > 192.168.20.5:80 > $IPT -A FORWARD -p TCP -d 192.168.20.5 --dport 443 -j ACCEPT > $IPT -A PREROUTING -t nat -p TCP -d $NET --dport 443 -j DNAT --to > 192.168.20.5:443 >=20 > I tried changing this to: >=20 > $IPT -A FORWARD -p TCP -d 192.168.20.5 --dport 80 -j ACCEPT > $IPT -A PREROUTING -t nat -p TCP -d $NET --dport 80 -j DNAT --to > 192.168.20.5:80 > $IPT -A PREROUTING -t nat -p TCP -d $INNET --dport 80 -j DNAT --to > 192.168.20.5:80 > $IPT -A FORWARD -p TCP -d 192.168.20.5 --dport 443 -j ACCEPT > $IPT -A PREROUTING -t nat -p TCP -d $NET --dport 443 -j DNAT --to > 192.168.20.5:443 > $IPT -A PREROUTING -t nat -p TCP -d $INNET --dport 443 -j DNAT --to > 192.168.20.5:443 >=20 > But this did not help. It does not seem to be a local dns issue. >=20 > $IPT =3D iptables > $NET =3D external interface/netmask > $INNET =3D internal interface/netmask >=20 > Anything obvious, or not so obvious, that I'm missing? Any suggestions? >=20 > Ken Bradford > Alpha II Service, Inc. >=20 >=20 > _______________________________________________ > colug mailing list > colug@colug.net > http://www.colug.net/mailman/listinfo/colug --=20 Chris Fuhrman | Twenty First Century Communications chris.fuhrman@tfcci.com | Senior Software Engineer (W) 614-442-1215 x271 | (F) 614-442-5662 | PGP/GPG Public Key Available on Request --=-Y0tIdt9uAP4fuupgii03 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQBAyalt+PkFQScv4oURAoPlAKCzp9KNt7HwDJhoHJf/SsQEZyZG5gCgql/7 unn61DSebsdy6mjNR8DFww0= =5zsQ -----END PGP SIGNATURE----- --=-Y0tIdt9uAP4fuupgii03-- ]