[PLUG] servicing a domain from behind a firewall

Josh Orchard josh at emediatedesigns.com
Tue Jul 30 14:43:11 UTC 2002 

Paul,

That sounds good but won't all traffic then to the 123.45.67.89 ip then
get forwarded to the internal machine?  I have two domains and would like
one resolved on 123.45.67.89 and the other sent to 10.0.0.13.
That is:

domain1.com  is seen from the world to go to 123.45.67.89 and that linux
box will handle all the request for any services.  This machine is also
the firewall and does NAT for the internal network.
domain2.com is also been seen to the world as being 123.45.67.89 but any
request to this domain should be forwarded to 10.0.0.13.
Is that still possible with iptables?  I have used iptables to forward
ports to a machine inside the firewall but all request go to that machine.
 I'm looking to have http://www.domain1.com get resolved on one server and
http://www.domain2.com get resolved on another server.  This would then be
extended beyong the http port and to all port traffic to each domain.
Josh

> You shouldn't need a proxy server; iptables will do the trick for you.
>  For the sake of this example, assume that
>
> * eth0 is your external interface; its address is 123.45.67.89
> * eth1 faces your LAN
> * the internal host that will be serving these requests is 10.0.0.13
>
> 1. Make sure that your exposed host is setup for ip forwarding:
>
>   sysctl -w net.ipv4.ip_forward=1
>
> 2. Add some prerouting entries to your nat table for common services
>   like http, ftp, etc. Also add explicit support for these ports in
>   your FORWARD table.
>
>   for port in 80 21 22 25 110
>   do
>     iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $port \
>              -j DNAT --to 10.0.0.13:$port
>     iptables -t filter -A FORWARD -i eth0 -p tcp -d 10.0.0.13 \
>              --dport $port -j ACCEPT
>   done
>
> 3. Make sure that traffic sent from 10.0.0.13 out to the internet gets
>   the NAT treatment.
>
>   iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.45.67.89
>
> There's lots more to know about iptables than that -- but I just
> wanted to let you know that you can accomplish your packet passing
> with iptables.
>
> --Paul Heinlein <heinlein at attbi.com>
>
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

More information about the PLUG mailing list