Solved

IPCop 1:1 SNAT

Posted on 2009-07-14
5
745 Views
Last Modified: 2013-12-25
I have just leased a set of 5 static IP's to configure into my network.. here was my previous setup:

WEB-->FIREWALL-->PORT80 FORWARD-->OCTAGATE REVERSE PROXY-->web1 or web2

the proxy would point to the correct web server depending on the HTTP header.. the problem was the proxy had to handle ALL requests. so i purchased the IP's to correct this.. only now im stuck here:

WEB-->FIREWALL-->web1 or web2

It's simply not working, i have a range of IP's: X.X.X.226 - X.X.X.230

226 is the firewall, 227, 228, 229, 230 are alias IP's

the setup:
Firewall: IPCop, IPFire and Smoothwall, no luck on any (willing to use any of the three)

I have read that this would work if I were forwarding alias IP's to servers in the DMZ only my servers are 1U's w/only 1 onboard NIC and 1 PCI NIC.. this leaves no room to setup a DMZ

..updated closed previous case

NOW, i have setup IPCop on a new 1U with 3 NIC's, still no luck
it points to the correct server but the server does not seem to "parse" the http header
It displays a generic welcome page instead of the domain requested.
any ideas?
0
Comment
Question by:p3rlphr33k
  • 5
5 Comments
 

Author Comment

by:p3rlphr33k
ID: 24863830
Here are the server's software setup:
Apache 2.2.6, PHP 5.2.4, MySQL 5.0.45, Postfix, BIND9, POP3/IMAP

Was running it behind a single IP with, IPCop was forwarding all port 80 requests to single server running win2003 with Octagate reverse proxy.

network was picking up traffic and started to slow way down so i leased 5 statics from my isp. now i have all statics configured as alias IP's port forwarding to the corresponding server in the DMZ e.g.
24.x.x.229=>10.0.0.29
and
24.x.x.230=>10.0.0.30

Thats all fine and dandy... but IPCop's NAT destorys the HTTP Header that calls the correct domain.
I have modfied the replies with the somthing similar to this:

/sbin/iptables -t nat -A RED -s 10.x.x.29 -o $RED -j SNAT --to-source 24.x.x.229
/sbin/iptables -t nat -A RED -s 10.x.x.30 -o $RED -j SNAT --to-source 24.x.x.230

I can enter a URL from an external addess, an it replies with a generic "Shared IP" or "Fedora Test Page" I can run lynx --dump whatismyip.com and verify alias is working...

so.. i think i covered most everything but the packet its self since thats how the virtual server operates what do you think?
0
 

Author Comment

by:p3rlphr33k
ID: 24863860
I think i need to add an IPTable to to check source address, port and forward full packet to server to get the correct response.. but I am horrible with iptables I guess rather than looking at my issue at large, this is what i would like to do with IPtables:
check alias IP if it matches one on the defined:
24.x.x.228, 24.x.x.229, 24.x.x.230
and matches port:
80, 81
forward packet to internal address associated with alias IP..

Can anyone help me with this iptable??
0
 

Author Comment

by:p3rlphr33k
ID: 24863897
I have also started testing Endia Community Firewall, which does the SNAT routing back to the Alias IP so the manual editing of the IPTables are no longer needed for routing response to alias. Now its just routing the packets from alias to server.. hope thismakes my question a little easier. if you guys keep up the great help I might just answer this on my own..
0
 

Author Comment

by:p3rlphr33k
ID: 24865358
I found a solution on a FREE web site... thanks for nothing again
0
 

Accepted Solution

by:
p3rlphr33k earned 0 total points
ID: 24869532
http://www.the-scream.co.uk/forums/showthread.php?p=230444#post230444 this guy needs to be sent a check from the idiots here.
0

Featured Post

Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now