Linux Iptables Prerouting
I have such problem:
- have a server with separete ip (192.168.1.1(internal), 111.111.111.111(external),
- several machines of local network are connected to internet through this machine (OS WinXP).
- on one of the XP machines I have an IIS Server (192.168.1.6).
Problem: if someone opens in his browser - http://111.111.111.111:8080/ - I want to show him the contens of my mashine IIS Server WebSite. And if user enters - http://111.111.111.111/ - the contens of apache Linux server is shown to him.
Now http://111.111.111.111/ - works good. Also I have reached http://111.111.111.111:8080/ to work only from my machine (with IIS and IP=192.168.1.1). From other machines it doesn't work, and from internet too. This thing I have reached by:
iptables -t nat -I PREROUTING -p tcp -d 111.111.111.111 --dport 8080 -s 0.0.0.0/0.0.0.0 -j DNAT --to-destination 192.168.1.6:80
What should I make more?
- have a server with separete ip (192.168.1.1(internal), 111.111.111.111(external),
- several machines of local network are connected to internet through this machine (OS WinXP).
- on one of the XP machines I have an IIS Server (192.168.1.6).
Problem: if someone opens in his browser - http://111.111.111.111:8080/ - I want to show him the contens of my mashine IIS Server WebSite. And if user enters - http://111.111.111.111/ - the contens of apache Linux server is shown to him.
Now http://111.111.111.111/ - works good. Also I have reached http://111.111.111.111:8080/ to work only from my machine (with IIS and IP=192.168.1.1). From other machines it doesn't work, and from internet too. This thing I have reached by:
iptables -t nat -I PREROUTING -p tcp -d 111.111.111.111 --dport 8080 -s 0.0.0.0/0.0.0.0 -j DNAT --to-destination 192.168.1.6:80
What should I make more?
#don;t forget to allow traffic pass in FORWARD chain
iptables -A FORWARD -p tcp -d 192.168.1.1 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.6 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.1 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.6 --dport 80 -j ACCEPT
ASKER
Something wrong... I have entered all commands above, but the same story... when I type my domain from 192.168.1.6 - it launches, but if I type http://192.168.1.1:8080/ - it isn't. From other local computers and external machines - it don't work too.
the contens of /proc/sys/net/ipv4/ip_forw
the contens of /proc/sys/net/ipv4/ip_forw
Oh, I thought You want to type: http://111.111.111.111:8080/
If You want use local address with 8080 port, simply make apache listen on 8080 port as well aas on 80.
Also check if Your XP firewall does not block port 80 incoming connections.
If You want use local address with 8080 port, simply make apache listen on 8080 port as well aas on 80.
Also check if Your XP firewall does not block port 80 incoming connections.
ASKER
> ravenpl
>>Oh, I thought You want to type: http://111.111.111.111:8080/
yes, but instead http://111.111.111.111:8080/, I'd like it to work also as: http://www.mydomain.com:8080/
>>If You want use local address with 8080 port, simply make apache listen on 8080 port as well aas on 80.
Where?
>>Also check if Your XP firewall does not block port 80 incoming connections.
I have added it to XP SP2 firewall list.
>>Oh, I thought You want to type: http://111.111.111.111:8080/
yes, but instead http://111.111.111.111:8080/, I'd like it to work also as: http://www.mydomain.com:8080/
>>If You want use local address with 8080 port, simply make apache listen on 8080 port as well aas on 80.
Where?
>>Also check if Your XP firewall does not block port 80 incoming connections.
I have added it to XP SP2 firewall list.
ASKER
also, when I type http://www.mydomain.com:8080/ on the machine where my IIS is installed (192.168.1.6), it works, but from others - don't.
> yes, but instead http://111.111.111.111:8080/, I'd like it to work also as: http://www.mydomain.com:8080/
If the domain resolves to that IP - no problem.
> Where?
in the global config of httpd.conf put: Listen 8080
If the domain resolves to that IP - no problem.
> Where?
in the global config of httpd.conf put: Listen 8080
ASKER
>> yes, but instead http://111.111.111.111:8080/, I'd like it to work also as: http://www.mydomain.com:8080/
>If the domain resolves to that IP - no problem.
Yes, Apache server of 192.168.1.1 or http://111.111.111.111/ or http://mydomain.com/ (they are similar) - works good. I'd only like to add functional Win server.
>> Where?
>in the global config of httpd.conf put: Listen 8080
why is it needed for Linux apache?
>If the domain resolves to that IP - no problem.
Yes, Apache server of 192.168.1.1 or http://111.111.111.111/ or http://mydomain.com/ (they are similar) - works good. I'd only like to add functional Win server.
>> Where?
>in the global config of httpd.conf put: Listen 8080
why is it needed for Linux apache?
ASKER
Have added Listen 8080 - don't work...
ASKER
Soryy, ravenpl.
On some machines of out local network it works. But from outside - nope.
On some machines of out local network it works. But from outside - nope.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>If no other firewall is blocking traffic, then You should be able from outside
>http:/1.1.1.1/ http://1.1.1.1:8080/
>and from inside the same + http://192.168.1.1/ http://192.168.1.6/
Maybe, there are somewhere in Linux?
>http:/1.1.1.1/ http://1.1.1.1:8080/
>and from inside the same + http://192.168.1.1/ http://192.168.1.6/
Maybe, there are somewhere in Linux?
ASKER
Thank you, ravenpl, for the answer.
If you will find something else that must work, please contact me at thespian@mail.ru.
If you will find something else that must work, please contact me at thespian@mail.ru.
iptables -t nat -A PREROUTING -p tcp -d 111.111.111.111 --dport 80 -s 0.0.0.0/0.0.0.0 -j DNAT --to-destination 192.168.1.1:80
#DNAT to XP
iptables -t nat -A PREROUTING -p tcp -d 111.111.111.111 --dport 8080 -s 0.0.0.0/0.0.0.0 -j DNAT --to-destination 192.168.1.6:80
#in case the connection comes from LAN, we have to SNAT the conn also, so packets will get back throught us
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 192.168.1.1 --dport 80 -j SNAT --to-source 192.168.1.MYIP
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 192.168.1.6 --dport 80 -j SNAT --to-source 192.168.1.MYIP
#don;t forget to allow traffic pass in FORWARD chain
iptables -A -p tcp -d 192.168.1.1 --dport 80 -j ACCEPT
iptables -A -p tcp -d 192.168.1.6 --dport 80 -j ACCEPT
#finally allow forwarding
echo 1 > /proc/sys/net/ipv4/ip_forw