Dynamic ip and Apache with iptables

props666999 · 09-27-2005, 03:48 AM

Hi

I need to setup a firewall and let a dmz'ed cleint to host websites
using snat dnat but with no dynamic ip .

I cannot set the code properly within rc.firewall

You have a dialup / cable link to the internet that gets a dynamic IP
assigned. The firewall box has the connection to the internet with this
dynamic IP. You have a LAN which can connect to the internet through
the firewall box using Masquerading.

You use one of those dynamic DNS servers to update your IP address to
your registered internet name (this.is.myhost.com). Thus people can
find you (this.is.myhost.com) and connect from outside. You have a
Webserver behind your firewall box which you want to DNAT port 80
requests to. Thus people who try to connect to this.is.myhost.com port
80 will actually connect to the Webserver box behind your firewall.

TruckStuff · 09-27-2005, 08:26 AM

I'm sorry, is there a question here?

If you have the box on a static private IP (LAN), than you just need to allow traffic on port 80 in (and related traffic out). Then you need to forward all traffic on port 80 at your firewall to the static IP given to this box. I've got my home server setup the same way.

props666999 · 09-27-2005, 08:36 AM

Hello TruckStuff

I want to achieve the same functionality as You .Can you show me the
forwording bit for me to understand ?

Regards

TruckStuff · 09-27-2005, 09:42 PM

Well I'm using a Linksys router-in-a-box for my firewall, so the forwarding there is pretty simple, but we will see what we can do here...

On the SERVER (i.e. where apache is installed), you need at least the following:

Code:

# Accept traffic related to existing connections...
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming traffic on the web server
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

Note that these rules are a *bare* minumum to get the functionality you desire.

Then on the firewall box, you will need something like the following:

Code:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.99:80 #substitute the real target IP here

Also see here for resources: http://www.google.com/search?q=iptables+forward+port+80

It is important to note that many ISPs block all incoming traffic on port 80 in their TOS. If you can't successfully connect on port 80, you may want to try a different port like 8888 or 8080 to see if you have better luck with that one.

props666999 · 09-28-2005, 04:08 AM

Hello

I tried that with no luck .

what i did was to use the template from the official iptables howto

here script

because my ip is dynamic simply i put my current one

it is definetely firewall related because

i can ping my website address and get icmp replies

from my dmz'ed computer which hosts the apaches ( this is normal)

I do not know what the problem is .

The only bit chancged in the script is the 2 following lines
INET_IP="194.236.50.152"
HTTP_IP="194.236.50.153"
i put my ip address

any help ? Thank You