Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have setup http.conf file with one live ip and one private ( Lan ) ip . I am also able to browse the Http server through both ip .
Problem is that , when trying to browse the Live ip from remote . The default 80 port is not connecting and error showing connection refused . [ ...I think ISP blocked the default port ]. When I am putting different free upper port number . It works . But I have to mention like http://<Live IP>:<Free port> .
Please help . I dont have reverse proxy . So how I can nating , if the Http server is connected directly with intrenet or if a firewall in between .
I have setup http.conf file with one live ip and one private ( Lan ) ip . I am also able to browse the Http server through both ip .
Problem is that , when trying to browse the Live ip from remote . The default 80 port is not connecting and error showing connection refused . [ ...I think ISP blocked the default port ]. When I am putting different free upper port number . It works . But I have to mention like http://<Live IP>:<Free port> .
Please help . I dont have reverse proxy . So how I can nating , if the Http server is connected directly with intrenet or if a firewall in between .
With your NAT, you are forwarding a port to port 80 on your webserver, right? Well you can just use any source port you want on the NAT (8080 or whatever) and still forward it to port 80 on your webserver. No magic required.
I hope this helps, maybe you can clarify the setup you are trying to get.
I have already been set below rules for internal squid :-
-A PREROUTING -i <wan-IF> -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o <wan-IF> -j MASQUERADE
Now I have found following link related the port 80 problem . https://www.linuxquestions.org/quest...3/#post1230399
......................Please help me how to nat in the case , so that it will not harm internal proxy .
I have already been set below rules for internal squid :-
-A PREROUTING -i <wan-IF> -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o <wan-IF> -j MASQUERADE
Now I have found following link related the port 80 problem . https://www.linuxquestions.org/quest...3/#post1230399
......................Please help me how to nat in the case , so that it will not harm internal proxy .
As per the post you linked, you're close, but you need to switch your dport and to-ports. The dport is the destination port coming into your router, so that should be 3128 and the to-port is the target port on your server, port 80.
As per the post you linked, you're close, but you need to switch your dport and to-ports. The dport is the destination port coming into your router, so that should be 3128 and the to-port is the target port on your server, port 80.
- Arch
Ah, wait, sorry, I misread your posts...
So you've got:
Some web user > Internet > ISP > router > web server
The ISP is blocking port 80? In that case, there is nothing you can do to allow the web user to access your web server on port 80. The best you can do is find some sort of web redirect service who will take requests at their site and then redirect the user to http://<Live IP>:<Free port>.
You may be able to get your DNS host to provide web redirects or possibly find a web host that lets you create a web page which redirects users.
But whether I put any page which will redirect.............in the case outside users need to browse like http://<Live IP>:<Free port> . It would not be good .
What I m thinking ; any source (internet user) requesting for port 80 [i.e. my web server], will nat / redirect to my internal mentioning free port number .
But I m not getting a good iptables rule . Please help me .
As I seen your post I have some further questions
1. Are you running proxy and web server on your system?
2. What do you mean by live ip?
3. Is this global static ip?
If you have own static global ip address,I assure ISP will open all ports
4. What kind of internet connection you have(broadband, leaseline, etc)?
The internet connection that you are using is broadband connection, your broadband router will have feature call virtual host (most of the broandband routers having this feature) by using this facility you can NAT your external and internal ports
To redirect port for incoming traffic,your mentioned iptable rules are ok
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
Normally use -j DNAT, but -j REDIRECT seems not much difference
1> Yes, proxy and web server running on same system .
2> Its global static ip .
3> Its broadband connection .
As I mentioned that my squid related rules are as follows :-
-A PREROUTING -i <wan-IF> -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o <wan-IF> -j MASQUERADE
If I use " iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 " .....is there would be any problem to my proxy .
And shouldn't I mention the <ethernet interface> in the rule .
eth0 -> Lan
eth1 -> Broadband with global static ip
As I mentioned that my squid related rules are as follows :-
-A PREROUTING -i <wan-IF> -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o <wan-IF> -j MASQUERADE
now , my Lan users are able to browse the Apache server through Lan ip / global static ip . They are able to browse through the global static ip and through port 80, because I think their getway is proxy getway ;; and because of the same broadband connection , they have not any problem regarding the port (because they are situated on the LAN) .
But problem with other than Lan connection . I have tested with other ISP . Here connection is refusing to connect with the 80 port . Here need a different free port to browse .
How to NAT for all incoming connection requested for the 80 port on my Apache server with different port mentioned in httpd.conf file . So that , outsiders can browse without mentioning any port number .
If you are running transparent poxy and access internet without client side(web browser) proxy configuration, you need to add this port redirect iptable rule (80--->3128 or proxy listening port).
For normal porxy setup no need port redirect on your linux iptable but you will have to NAT your global ip with your local ip at your router
That means , I have to modify DSL modem configuration . No other way to use . Because if I m not wrong , the connection is as follows :->
Internet user -->>> DSL (medem-router) broadband connection -->>> global static ip (eth1) -->>> LINUX- httpd.conf file .
Here (in httpd.conf), if port is 80 , then connection failed or if other port then connection is success .
Is there any rule that cant be applied on Linux . I just want to know ..... otherwise I have to think about DSL modem-router NAT feature .
Please help .
But whether I put any page which will redirect.............in the case outside users need to browse like http://<Live IP>:<Free port> . It would not be good .
What I m thinking ; any source (internet user) requesting for port 80 [i.e. my web server], will nat / redirect to my internal mentioning free port number .
But I m not getting a good iptables rule . Please help me .
Any user on the Internet requesting port 80 on your live IP is getting blocked *before the packet gets to you* by your ISP, right? So a web user going to your live IP on port 80 is *never* going to reach you and that is an issue with your ISP. Get your ISP to fix this or else ditch them.
Your only other option is to direct users to some other online site which either provides a proxy or redirects them to your live IP and some non-standard port (8080 or whatever).
A rule on your firewall cannot help you with port 80 traffic because your ISP has already blocked them.
You also redirect internal / LAN users to your squid proxy before going to Internet sites and that is working, correct?
Thank you for nice response . I got your point . Now I m thinking to make NAT entry in DSL modem .
But if this will fail [ another option is to put any non-standard port (8080 or whatever) ], then should I change my transparent proxy redirection . But if I remove the transparent proxy rules . Then user will be able to browse all the sites . Because they will remove entry from their local web-browser setting .
Any suggestion over it......most welcome .
In DSL Modem, there you can block outbound traffic for port 80 to your LAN network address and then allow outbound port 80 traffic only for server ip address(you mentioned early both proxy and web server are running in one server). so the way is easy to forcefully ask your LAN clients to use proxy because they dont have direct internet access, In your proxy you can block unwanted URLs
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.