Solved

Port Forwarding on linux gateway box

Posted on 2001-07-25
15
370 Views
Last Modified: 2010-03-18
I have a linux gateway box configured to dial up to the internet through a modem. That interface is ppp0 and I have a static IP address that I get from my ISP.

I also have eth0 configured as 192.168.1.1 and that connects to my LAN. I have some simple ipchains and masq. rules setup so I can use this interface as a gateway to share the internet.

I have a web server on the gateway that I would like to move to another linux box (because the web site is getting to be too big on HD space). How can I forward requests from the gateway (for the web server) to a another machine on my LAN (192.168.1.100) which I want to do the website hosting from now on?

I've tried using the command test command. The way I test it is first I go to http://192.168.1.1 and get my normal web site. Then I try to forward requests for that IP on port 80 to my new box. When I know that works I will change my 192.168.1.1 IP address to my static one from my ISP:

ipmasqadm portfw -a -P tcp -L 192.168.1.1 80 -R 192.168.1.100 80

This seems to do some kind of forwarding because I try to reload the http://192.168.1.1 page in my web broswer and it just hangs and times out. So I am thinking there is a problem on the gateway server not relaying the information back from the web server back to the client PC.

Has anyone got this to work?
Thanks.
0
Comment
Question by:magnakuz
  • 8
  • 3
  • 3
  • +1
15 Comments
 
LVL 1

Author Comment

by:magnakuz
Comment Utility
Okay, I am refining my question now.
Because the ipmasqadm command DOES work. If I try this with my actual Static IP address from my ISP, and I connect to the internet outside of my gateway server, I will be redirected to the new server.

The question is now how do I allow requests for inside my network to be redirected there as well?

Thanks!
0
 
LVL 19

Expert Comment

by:jools
Comment Utility
Do you have a caching DNS server running?

0
 
LVL 1

Author Comment

by:magnakuz
Comment Utility
No. DNS is taken care of my ISP. Which eventually I will want to change.

0
 
LVL 19

Expert Comment

by:jools
Comment Utility
Just for clarification, is the web server still on the main PC or has this been moved yet?

This could be a number of things;

Check to make sure your forwarding is forwarding the right information, I'm not familar with ipmasqadm but you might want to make sure that all packets are being forwarded

Check your routing table information, what happens if the default route is set to the internal and what happens if it's set to the ppp interface.

I don't think it'll be your DNS config but you might want to try renaming /etc/resolv.conf to see what happens there as well.

Give those a try
0
 
LVL 1

Author Comment

by:magnakuz
Comment Utility
Well I know for sure that th ipmasqadm is working right. Because as I said before, anyone who looks up the internet site from the outside (another computer not connected to the gateway. i.e. dials up to internet and looks up web page) will connect to the main gateway and it will route port 80 to the internal web server on 192.168.1.100. The gateway that I have setup 192.168.1.1 also has a web server running on it. But that is the one I want to bypass and go to the web server on 192.168.1.100. Which is working just fine... However I believe that something is wrong with my ipchains configuration because when the gateway is port forwarding 80, I can no longer connect to my website internally by typing in my domain name.

So I guess what I have to do is trap all outgoing port 80 traffic from within the network that is going to my domain name and have that redirected to the new 192.168.1.100 server instead of the 192.168.1.1 server? Or at least allow the packets to get through somehow. Outside users have no problem. Just inside...

Kinda weird. I know it has to do with IPChains... The question is why and how do i fix it..

Also, I checked my resolv.conf file and it basically has 3 lines:

domain crunchybars.com
nameserver 169.207.1.3
nameserver 204.29.202.6

0
 
LVL 2

Accepted Solution

by:
pheur earned 250 total points
Comment Utility
Of course it doesn't work. because the packets go that way:
client -> GW[changed DST IP] -> web server   and
web server -> client [with source IP web server ,but expected ppp0 of the gateway]

Try on the web server  (quick and very dirty thing):

route del -net 192.168.1.0 netmask 255.255.255.0
route add -host 192.168.1.1 eth0
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
echo "0" >/proc/sys/net/ipv4/conf/eth0/accept_redirects
echo >/proc/sys/net/ipv4/route/flush

this looks horrible and linux is one of the few OSes that accepts static routing abuse like this.

To do it correctly use policy routing on the web server: all packets to local network and source port 80 go via 192.168.1.1 instead of going directly on eth.

-----
Radu-Adrian Feurdean
Brainbench Linux MVP
www.brainbench.com
0
 
LVL 1

Author Comment

by:magnakuz
Comment Utility
What is the "gw" in the line:
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1

is that supposed to be my Gateways IP address?

Also what is the "correct" way to do this?

Thanks

0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 19

Expert Comment

by:jools
Comment Utility
pheur, please post as comments first. Routing had been suggested and was waiting for a response.

magnakuz,
If you're using your *domain name* won't it try to be resolved by the dns servers. If it can't get to them or find the name it'll appear to hang until it times out.

What happens if you rename /etc/resolv.conf and try again?

0
 
LVL 2

Expert Comment

by:pheur
Comment Utility
The "gw" in that line are just the letters "g" and "w" without spaces between them. The line is copy-paste-able.

These lines are in addition to the ipmasqadm rules.

A better but more complicated way to do it would be:

ipchains -I output -s 0/0 80 -d 192.168.1.0/24 -p tcp --mark 50 -j ACCEPT
ip ru add fwmark 50 tab 50
ip ro add 192.168.1.1 table 50 dev eth0
ip ro add 192.168.1.0/24 table 50 nexthop via 192.168.1.1

You will need a kernel compiled with advanced routing options (you use policy-based routing and fwmark vaule as routing key). You also add the ip utility (it comes with the most distributions).

-----
Radu-ADrian Feurdean
Brainbench Linux MVP
www.brainbench.com

0
 
LVL 1

Author Comment

by:magnakuz
Comment Utility
pheur:
 I've tried the lines:
route del -net 192.168.1.0 netmask 255.255.255.0
route add -host 192.168.1.1 eth0
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
echo "0" >/proc/sys/net/ipv4/conf/eth0/accept_redirects
echo >/proc/sys/net/ipv4/route/flush


and it seems to work. You mentioned that a better way would be to "To do it correctly use policy routing on the web server: all packets to local network and source port
80 go via 192.168.1.1 instead of going directly on eth." How do I do this?

Thanks..
0
 
LVL 1

Author Comment

by:magnakuz
Comment Utility
I have noticed an important little detail while playing around with this system. It seems that I have a SQUID proxy web server also running on the machine. And when I have a proxy enabled through my web browser it keeps pointing back to the old web server when I type in my domain name instead of being forwarded to the new web server. I've tried deleting the entire cache for the squid proxy server and reinitalizing the directories with a "squid -z". But my computers still get the old server when using a proxy server. Any clues?
0
 
LVL 1

Expert Comment

by:wolfjjj
Comment Utility
*ping*
0
 
LVL 1

Author Comment

by:magnakuz
Comment Utility
*ping*
0
 
LVL 2

Expert Comment

by:pheur
Comment Utility
Normally you wouldn't use a proxy server for local servers. The "no proxy for domains" option in browsers do that. Alternatively, use a proxy config url (mime-type application/x-ns-proxy-autoconfig) containing a file such as:

function FindProxyForURL(url, host) {
    if (url.substring(0,17) == "http://localhost/")
        return "DIRECT";
    if (isInNet(host, "192.168.1.0", "255.255.255.0"))
        return "DIRECT";
    if (isInNet(host, "xx.yy.zz.tt", "255.255.255.255"))
        return "DIRECT";
    if (url.substring(0,8) == "https://" ||
        url.substring(0,7) == "http://" ||
     url.substring(0,6) == "ftp://")
        return "PROXY 192.168.1.100:8080; DIRECT";
}

Replace xx.yy.zz.tt with your external IP or feel free to enhance it. It's JavaScript.

----
Radu-Adrian Feurdean
BrainBench Linux MVP
 www.brainbench.com
0
 
LVL 1

Author Comment

by:magnakuz
Comment Utility
Good info thanks...
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now