Port Forwarding
Jonathan Hutchins
hutchins at opus1.com
Tue Jan 14 02:25:07 CST 2003
> -----Original Message-----
> From: Jeremy Fowler [mailto:jfowler at westrope.com]
> Ok, you can't forward a webserver. You can forward packets
> to/from a webserver - but not a webserver.
Well, I had a laptop forwarded to me today through Omaha, and there's
nothing to say it couldn't have been running a webserver, so you're wrong
there.
> So what does a webserver have to do with the 2.4 Kernel
> firewall? How do you put a webserver on a 2.4 Kernel firewall
> with iptables? Umb, you can't...
If I accomplish what I intend to do, then the webserver will appear as if it
were on the same system as the firewall, and I will (presumably) have
accomplished this virtual translocation by using iptables, so even if my
syntax is unclear, the intent remains consistent. However, it is the
unclear syntax, this time of the iptables rules, that is preventing me.
> So do you see the problem here? The question wasn't very
> clear and that is why your having problems finding an answer.
Yet the question is being asked, in virtually the same terms, by many people
on the internet.
Surely, the question is no less clear than the answers that are out there.
> ...I assume your question is trying to ask. Which is: How do
> you forward packets thru a netfilter firewall to an internal webserver?
> If so, why didn't you just say that?
I'm not positive that that's any clearer - I can get packets through the
firewall to the webserver now, just as I can to the workstations. The
problem is making that virtual presence of the server as an available
connection at the firewall. Establishing new connections on request from
various outside presences. I'm sure that the method involves correctly
routing packets to the webserver, but it's not just a matter of forwarding
them to it, or I wouldn't be having this problem. It's forwarding the right
ones.
Ok, kidding aside here, the problem is that it's subtleties of syntax that
are the problem.
Your example:
> iptables -t nat -A PREROUTING -i eth0 -p TCP -d $EXTERNAL_IP > --dport 80 -j DNAT
--to-destination $HTTP_SERVER_IP
Looks just like the one in the IP MASQ HOWTO, right down to the line break.
Problem is, where does it go? If I just issue that command after my
firewall commands, it doesn't work. There must be other supporting rules, or
it must matter that that command come before some other command in the
ruleset.
(Most of the rules specify a port on the --to-destination command, which
also appears as simply "--to".)
More information about the Kclug
mailing list