Re: Apache, behind a firewall?

Sat, 19 Jan 2002 12:53:08 -0800 

On Fri, 2002-01-18 at 23:51, Mike Burger wrote:
> I'm sorry...feeble mind syndrome set in.
> 
> Try http://www.bubbanfriends.org/~mburger/fwscript.txt
> 
> Damn.
> 

Better.

Did you say you already tried a version of this with the internal
interface? g it would look like :

#
# HTTP to the server
#
$IPTABLES -t nat -A PREROUTING -i eth0 -d 216.140.122.113 -p tcp --dport
80 -j DNAT --to 192.168.0.1
$IPTABLES -A FORWARD -p tcp --dport 80 -m state --state NEW -d
192.168.0.1 -j ACCEPT
#

I am thinking it would look like :

## HTTP to the server from then internal network
#
$IPTABLES -t nat -A PREROUTING -i eth1 -d 216.140.122.113 -p tcp --dport
80 -j DNAT --to 192.168.0.1

I am thinking that the forwarding line in the original rule wouls take
care of the forwarding thing.


The reference I was refering to was in the nat how to
http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-5.html


 Since the DNAT rule is prerouting I honestly do not know what happens
when a machine gets a packet directed to it on an interface for another
machine with the same subnet.  Isn't there some sort of redirection
thing that occurs?  Somthing like hey buddy you don't need to send me
these packets they are on the same subnet we are all on.  then the src
machine says huh?  I was sending this to 216....  not 192....  why are
you telling me all this?  might be some arp or routing magic that needs
to be done here.

I wish I had a test lab setup for this I would like to try it.

One of the reasons I wanted  to see this work is that I am about to
build a new firewall for our office and am working on the network
architechure.  I am seriously considering putting all publically
availible services on a machine(s) in a DMZ setup like :


internet  ------- firewall ----- DMZ net (192.168.3.0/24)
                     |
                     |
                     |
                 internal net
                 192.168.0.0/24

THis type of setup will atleast get me around the very issues you are
having (I think)

Bret



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to