• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 437
  • Last Modified:

Port Forwarding on linux gateway box

I have a linux gateway box configured to dial up to the internet through a modem. That interface is ppp0 and I have a static IP address that I get from my ISP.

I also have eth0 configured as 192.168.1.1 and that connects to my LAN. I have some simple ipchains and masq. rules setup so I can use this interface as a gateway to share the internet.

I have a web server on the gateway that I would like to move to another linux box (because the web site is getting to be too big on HD space). How can I forward requests from the gateway (for the web server) to a another machine on my LAN (192.168.1.100) which I want to do the website hosting from now on?

I've tried using the command test command. The way I test it is first I go to http://192.168.1.1 and get my normal web site. Then I try to forward requests for that IP on port 80 to my new box. When I know that works I will change my 192.168.1.1 IP address to my static one from my ISP:

ipmasqadm portfw -a -P tcp -L 192.168.1.1 80 -R 192.168.1.100 80

This seems to do some kind of forwarding because I try to reload the http://192.168.1.1 page in my web broswer and it just hangs and times out. So I am thinking there is a problem on the gateway server not relaying the information back from the web server back to the client PC.

Has anyone got this to work?
Thanks.
0
magnakuz
Asked:
magnakuz
  • 8
  • 3
  • 3
  • +1
1 Solution
 
magnakuzAuthor Commented:
Okay, I am refining my question now.
Because the ipmasqadm command DOES work. If I try this with my actual Static IP address from my ISP, and I connect to the internet outside of my gateway server, I will be redirected to the new server.

The question is now how do I allow requests for inside my network to be redirected there as well?

Thanks!
0
 
joolsCommented:
Do you have a caching DNS server running?

0
 
magnakuzAuthor Commented:
No. DNS is taken care of my ISP. Which eventually I will want to change.

0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
joolsCommented:
Just for clarification, is the web server still on the main PC or has this been moved yet?

This could be a number of things;

Check to make sure your forwarding is forwarding the right information, I'm not familar with ipmasqadm but you might want to make sure that all packets are being forwarded

Check your routing table information, what happens if the default route is set to the internal and what happens if it's set to the ppp interface.

I don't think it'll be your DNS config but you might want to try renaming /etc/resolv.conf to see what happens there as well.

Give those a try
0
 
magnakuzAuthor Commented:
Well I know for sure that th ipmasqadm is working right. Because as I said before, anyone who looks up the internet site from the outside (another computer not connected to the gateway. i.e. dials up to internet and looks up web page) will connect to the main gateway and it will route port 80 to the internal web server on 192.168.1.100. The gateway that I have setup 192.168.1.1 also has a web server running on it. But that is the one I want to bypass and go to the web server on 192.168.1.100. Which is working just fine... However I believe that something is wrong with my ipchains configuration because when the gateway is port forwarding 80, I can no longer connect to my website internally by typing in my domain name.

So I guess what I have to do is trap all outgoing port 80 traffic from within the network that is going to my domain name and have that redirected to the new 192.168.1.100 server instead of the 192.168.1.1 server? Or at least allow the packets to get through somehow. Outside users have no problem. Just inside...

Kinda weird. I know it has to do with IPChains... The question is why and how do i fix it..

Also, I checked my resolv.conf file and it basically has 3 lines:

domain crunchybars.com
nameserver 169.207.1.3
nameserver 204.29.202.6

0
 
pheurCommented:
Of course it doesn't work. because the packets go that way:
client -> GW[changed DST IP] -> web server   and
web server -> client [with source IP web server ,but expected ppp0 of the gateway]

Try on the web server  (quick and very dirty thing):

route del -net 192.168.1.0 netmask 255.255.255.0
route add -host 192.168.1.1 eth0
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
echo "0" >/proc/sys/net/ipv4/conf/eth0/accept_redirects
echo >/proc/sys/net/ipv4/route/flush

this looks horrible and linux is one of the few OSes that accepts static routing abuse like this.

To do it correctly use policy routing on the web server: all packets to local network and source port 80 go via 192.168.1.1 instead of going directly on eth.

-----
Radu-Adrian Feurdean
Brainbench Linux MVP
www.brainbench.com
0
 
magnakuzAuthor Commented:
What is the "gw" in the line:
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1

is that supposed to be my Gateways IP address?

Also what is the "correct" way to do this?

Thanks

0
 
joolsCommented:
pheur, please post as comments first. Routing had been suggested and was waiting for a response.

magnakuz,
If you're using your *domain name* won't it try to be resolved by the dns servers. If it can't get to them or find the name it'll appear to hang until it times out.

What happens if you rename /etc/resolv.conf and try again?

0
 
pheurCommented:
The "gw" in that line are just the letters "g" and "w" without spaces between them. The line is copy-paste-able.

These lines are in addition to the ipmasqadm rules.

A better but more complicated way to do it would be:

ipchains -I output -s 0/0 80 -d 192.168.1.0/24 -p tcp --mark 50 -j ACCEPT
ip ru add fwmark 50 tab 50
ip ro add 192.168.1.1 table 50 dev eth0
ip ro add 192.168.1.0/24 table 50 nexthop via 192.168.1.1

You will need a kernel compiled with advanced routing options (you use policy-based routing and fwmark vaule as routing key). You also add the ip utility (it comes with the most distributions).

-----
Radu-ADrian Feurdean
Brainbench Linux MVP
www.brainbench.com

0
 
magnakuzAuthor Commented:
pheur:
 I've tried the lines:
route del -net 192.168.1.0 netmask 255.255.255.0
route add -host 192.168.1.1 eth0
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
echo "0" >/proc/sys/net/ipv4/conf/eth0/accept_redirects
echo >/proc/sys/net/ipv4/route/flush


and it seems to work. You mentioned that a better way would be to "To do it correctly use policy routing on the web server: all packets to local network and source port
80 go via 192.168.1.1 instead of going directly on eth." How do I do this?

Thanks..
0
 
magnakuzAuthor Commented:
I have noticed an important little detail while playing around with this system. It seems that I have a SQUID proxy web server also running on the machine. And when I have a proxy enabled through my web browser it keeps pointing back to the old web server when I type in my domain name instead of being forwarded to the new web server. I've tried deleting the entire cache for the squid proxy server and reinitalizing the directories with a "squid -z". But my computers still get the old server when using a proxy server. Any clues?
0
 
wolfjjjCommented:
*ping*
0
 
magnakuzAuthor Commented:
*ping*
0
 
pheurCommented:
Normally you wouldn't use a proxy server for local servers. The "no proxy for domains" option in browsers do that. Alternatively, use a proxy config url (mime-type application/x-ns-proxy-autoconfig) containing a file such as:

function FindProxyForURL(url, host) {
    if (url.substring(0,17) == "http://localhost/")
        return "DIRECT";
    if (isInNet(host, "192.168.1.0", "255.255.255.0"))
        return "DIRECT";
    if (isInNet(host, "xx.yy.zz.tt", "255.255.255.255"))
        return "DIRECT";
    if (url.substring(0,8) == "https://" ||
        url.substring(0,7) == "http://" ||
     url.substring(0,6) == "ftp://")
        return "PROXY 192.168.1.100:8080; DIRECT";
}

Replace xx.yy.zz.tt with your external IP or feel free to enhance it. It's JavaScript.

----
Radu-Adrian Feurdean
BrainBench Linux MVP
 www.brainbench.com
0
 
magnakuzAuthor Commented:
Good info thanks...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 8
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now