Complicated IP Tables Configuration
Greetings,
I have a RH9 server, with two interfaces, Apache, sendmail, etc, and I'm struggling with something fairly complicated, maybe someone could point me in the correct direction.
On the server, eth0 faces the internal network private IP space.
eth1: has a public IP address I'll call pub194
eth1:1 is pub195
eth1:2 is pub197
eth1:3 is pub198
the public ip, pub194 (eth1), I have working properly with iptables, whereas port 80 goes to apache, port 25 goes to sendmail, etc, and all other ports are completely closed. Nmap indicates this is operating correctly.
Pub195 (eth1:1) also feed apache (only), however hitting that IP address results in different web pages, using the "virtual hosts" part of apache, and that too works fine, and all other ports other than port 80 on pub195 is closed.
Now comes the part that has stumped me for several weeks.
On the public ip addresses, Pub197 (eth1:2) and Pub198 (eth1:3), I need to "nat" them across the eth0 port, in order to send ports 80 and 8481 to two different devices. Dlink webcams actually, and close all the other ports as I have above.
So, to play with one camera, I added the following lines:
#studiocam.midimonkey.com
#-A RH-Lokkit-0-50-INPUT -i eth1:2 -p tcp -m tcp --dport 81 -j ACCEPT
#-A RH-Lokkit-0-50-INPUT -i eth1:2 -p tcp -m tcp --dport 8481 -j ACCEPT
Then at the end of the /var/sysconfig/iptables, I added these lines:
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
# webcam port forwarding
#-A PREROUTING -o eth1:2 -p tcp -dport 80 -j DNAT --to 192.168.1.21:80
#-A PREROUTING -o eth1:2 -p tcp -dport 8481 -j DNAT --to 192.168.1.21:8481
When I restarted iptables, of course it bombed, at first indicating the "eth1:2" alias was not acceptable, so I thought I'd be clever and rename in "network config" eth1L2 to eth2. Yeah, that didn't work at all even though I changed it in iptables to match.
Basically, I want to forward an additional public IP to a webcam that's hiding behind the server. Then duplicate that, for a second public IP, to a second webcam.
I realize I could open ports on pub194 ip, say, 81 to the first camera, and 82 to the second camera, but then I can't resolve those ports via DNS with something along the line:
studiocam.mydomain.com --> pub197
babycam.mydomain.com --> pub198
pub197 & pub198 being public ips that do nothing else.
I read various iptable-howto type documents, and while its pointed me in somewhat of the right direction (I'm understanding the nat concept much more than before), I am not quite sure how to make this work.
Any ideas? Would be most appreciated!
|