LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Private/Local Network (https://www.linuxquestions.org/questions/linux-networking-3/private-local-network-344833/)

whohasit 07-19-2005 10:44 PM
Private/Local Network
 
Using NAT, DNS and a single public IP address on the gateway, what is the simplest way to have multiple machines on the same private network accepting requests to the same port? (e.g. running multiple web servers, all answering port 80, each accessible from the public address).

4 machine example:

banana.example.com (gateway - public address)

http://apple.example.com (private address)
http://orange.example.com (private address)
http://grape.example.com (private address)

Thanks in advance.

dugas 07-19-2005 10:53 PM
private network
 
All the machines on the private network should only answer when their specific hostname is called. You need to add the hostnames and their respective ip addresses into the hosts file located in the /etc directory.

whohasit 07-19-2005 11:08 PM
We have names running on the gateway but I'm assuming that since all the addresses are private, we must use port forwarding on a port-by-port basis.

Are you suggesting using the hosts file instead without portforwarding? Can you provide any more details?

mhallbiai 07-20-2005 12:36 AM
dugas, i think what whohasit is wanting is:
if an external client attempts to connect to {apple,orange,grape}.example.com they will all three hit port 80 on the router/firewall/gateway, based on the destination (apple,orange,grape) the rtr/fw/gw will forward the request on to the correct (internal) system

whohasit,
i believe you can do this if dns resolves correctly so that banana knows what the internal ip to use for apple/orange/grape using iptables. i do not have a setup that i can test so it will just need to be attempted. i believe it would look something like this...

assumed: eth0 = Public; eth1 = Private

Code:
iptables -t nat -A PREROUTING -s 0/0 -d apple.example.com -i eth0 -p tcp --dport 80 -j DNAT --to apple.example.com:80
iptables -t nat -A PREROUTING -s 0/0 -d orange.example.com -i eth0 -p tcp --dport 80 -j DNAT --to orange.example.com:80
iptables -t nat -A PREROUTING -s 0/0 -d grape.example.com -i eth0 -p tcp --dport 80 -j DNAT --to grape.example.com:80
iptables -A FORWARD -s 0/0 -d apple.example.com -p tcp --dport 80 -m state --state NEW -i eth0 -o eth0 -j ACCEPT
iptables -A FORWARD -s 0/0 -d orange.example.com -p tcp --dport 80 -m state --state NEW -i eth0 -o eth0 -j ACCEPT
iptables -A FORWARD -s 0/0 -d grape.example.com -p tcp --dport 80 -m state --state NEW -i eth0 -o eth0 -j ACCEPT
you will need to place the nat prerouting and forward before any exclusive DROPs you have in your firewall/iptables rules now for those chains

hope this helps

mhallbiai 07-20-2005 08:14 AM
the more i think about this the more skeptical i become about it actually working...

whohasit 07-20-2005 01:18 PM
mhallbiai,

Thank you -- You are exactly correct regarding what we're trying to do.

However these rules (incl. apple) continue to fail:

Where I might be wrong? (order?)

Code:
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables -t nat -A PREROUTING -s 0/0 -d apple.example.com -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.230:80

Thanks again,


All times are GMT -5. The time now is 09:06 AM.