-   Linux - Security (
-   -   routing http traffic to the correct box on subnet (

nodine 07-14-2004 12:32 PM

routing http traffic to the correct box on subnet
I am new to routing, but have managed to configure a router with 2 ethernet interfaces and a firewall. I am using Mandrake 9.1 and Shorewall for this task. As per the shorewall suggestion, I have uninstalled the RPM of shorewall that mandrake automatically installs and have replaced it with a generic 'noarch' rpm of shorewall 2.0. eth0 is configured with a static ip ( and is connected to the border router that connects to the internet. eth1 is using a static ip ( and is connected to a switch (my internal network).
All of the computers connected to the switch get their ip addresses from dhcp configured on the router. Here is assign the IP addresses to each machine based on MAC id's. This works, as all computers get their defined ip automatically, every time. The configuration I have for shorewall lets all of them access the internet,but no one on the outside can 'see' (or ping) them.
If someone could tell me:
1) how to allow incoming http requests from my (inter)net zone on shorewall to be recieved by computers in the 'loc' zone (the internal network)
2) how to send requests to the proper http server
I would greatlyappreciate it. I just do not know how to allow incoming requests to get passed the firewall. Once those requests are allowed passed the firewall, how do I make sure the requests for a certain domain go to the proper box?
I realize a question similar to this was discussed in a previous thread- 'shorewall - rules for multiple local sites' - but there were never any configuration files for me to compare aginst my own configs. also, toward the end of the thread a moderator mentioned that the way that the forwarding was configured was strange, but not knowing what a 'standard' way of doing this is, I cannot tell.
Please help!

TheIrish 07-15-2004 10:51 AM

Ok, maybe I'm a bit stupid... no, I'm stupid, but I'm not sure I catch the problem.
Let's start from the beginning. You have a webserver in your local network and you want people from the internet to access it, right?

how to send requests to the proper http server
you mean how to tell the Linux box to forward traffic to your webserver?

I'm not into shorewall, but as far as I know it is a graphical interface for iptables, so I can give you iptables advices to do this task.
Notice, this is just an example, it is important to understand that shorewall may use variables, bash commands and conditional statements. Be careful on where you insert these commands... in other words, read the code.

Let's assume your webserver has as address, ok?

First, let's tell the box that when it receives data on port 80 it must forward it to the webserver:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination
Add this roule near to the other PREROUTING statements.
Next, assuming shorewall is using DROP as FORWARD POLICY (do you see something like iptables -P FORWARD DROP anywere? good), let's tell iptables that port 80 is okay.

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport80 -j ACCEPT
Add this rule before any other statement simillar to it (iptables -A ....).

Ok, reload your script and see... note that since i'm not sure how shorewall generates rules, many things could go... somehow wrong (not risky anyway).
If you still have problems, it could be a good idea to post your rule file here.
Good luck!

All times are GMT -5. The time now is 03:11 PM.