Solved

IPCop 1:1 SNAT

Posted on 2009-07-14
5
760 Views
Last Modified: 2013-12-25
I have just leased a set of 5 static IP's to configure into my network.. here was my previous setup:

WEB-->FIREWALL-->PORT80 FORWARD-->OCTAGATE REVERSE PROXY-->web1 or web2

the proxy would point to the correct web server depending on the HTTP header.. the problem was the proxy had to handle ALL requests. so i purchased the IP's to correct this.. only now im stuck here:

WEB-->FIREWALL-->web1 or web2

It's simply not working, i have a range of IP's: X.X.X.226 - X.X.X.230

226 is the firewall, 227, 228, 229, 230 are alias IP's

the setup:
Firewall: IPCop, IPFire and Smoothwall, no luck on any (willing to use any of the three)

I have read that this would work if I were forwarding alias IP's to servers in the DMZ only my servers are 1U's w/only 1 onboard NIC and 1 PCI NIC.. this leaves no room to setup a DMZ

..updated closed previous case

NOW, i have setup IPCop on a new 1U with 3 NIC's, still no luck
it points to the correct server but the server does not seem to "parse" the http header
It displays a generic welcome page instead of the domain requested.
any ideas?
0
Comment
Question by:p3rlphr33k
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
5 Comments
 

Author Comment

by:p3rlphr33k
ID: 24863830
Here are the server's software setup:
Apache 2.2.6, PHP 5.2.4, MySQL 5.0.45, Postfix, BIND9, POP3/IMAP

Was running it behind a single IP with, IPCop was forwarding all port 80 requests to single server running win2003 with Octagate reverse proxy.

network was picking up traffic and started to slow way down so i leased 5 statics from my isp. now i have all statics configured as alias IP's port forwarding to the corresponding server in the DMZ e.g.
24.x.x.229=>10.0.0.29
and
24.x.x.230=>10.0.0.30

Thats all fine and dandy... but IPCop's NAT destorys the HTTP Header that calls the correct domain.
I have modfied the replies with the somthing similar to this:

/sbin/iptables -t nat -A RED -s 10.x.x.29 -o $RED -j SNAT --to-source 24.x.x.229
/sbin/iptables -t nat -A RED -s 10.x.x.30 -o $RED -j SNAT --to-source 24.x.x.230

I can enter a URL from an external addess, an it replies with a generic "Shared IP" or "Fedora Test Page" I can run lynx --dump whatismyip.com and verify alias is working...

so.. i think i covered most everything but the packet its self since thats how the virtual server operates what do you think?
0
 

Author Comment

by:p3rlphr33k
ID: 24863860
I think i need to add an IPTable to to check source address, port and forward full packet to server to get the correct response.. but I am horrible with iptables I guess rather than looking at my issue at large, this is what i would like to do with IPtables:
check alias IP if it matches one on the defined:
24.x.x.228, 24.x.x.229, 24.x.x.230
and matches port:
80, 81
forward packet to internal address associated with alias IP..

Can anyone help me with this iptable??
0
 

Author Comment

by:p3rlphr33k
ID: 24863897
I have also started testing Endia Community Firewall, which does the SNAT routing back to the Alias IP so the manual editing of the IPTables are no longer needed for routing response to alias. Now its just routing the packets from alias to server.. hope thismakes my question a little easier. if you guys keep up the great help I might just answer this on my own..
0
 

Author Comment

by:p3rlphr33k
ID: 24865358
I found a solution on a FREE web site... thanks for nothing again
0
 

Accepted Solution

by:
p3rlphr33k earned 0 total points
ID: 24869532
http://www.the-scream.co.uk/forums/showthread.php?p=230444#post230444 this guy needs to be sent a check from the idiots here.
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question