Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 07-14-2004, 11:32 AM   #1
LQ Newbie
Registered: May 2004
Distribution: Mandrake 9.1
Posts: 2

Rep: Reputation: 0
routing http traffic to the correct box on subnet

I am new to routing, but have managed to configure a router with 2 ethernet interfaces and a firewall. I am using Mandrake 9.1 and Shorewall for this task. As per the shorewall suggestion, I have uninstalled the RPM of shorewall that mandrake automatically installs and have replaced it with a generic 'noarch' rpm of shorewall 2.0. eth0 is configured with a static ip ( and is connected to the border router that connects to the internet. eth1 is using a static ip ( and is connected to a switch (my internal network).
All of the computers connected to the switch get their ip addresses from dhcp configured on the router. Here is assign the IP addresses to each machine based on MAC id's. This works, as all computers get their defined ip automatically, every time. The configuration I have for shorewall lets all of them access the internet,but no one on the outside can 'see' (or ping) them.
If someone could tell me:
1) how to allow incoming http requests from my (inter)net zone on shorewall to be recieved by computers in the 'loc' zone (the internal network)
2) how to send requests to the proper http server
I would greatlyappreciate it. I just do not know how to allow incoming requests to get passed the firewall. Once those requests are allowed passed the firewall, how do I make sure the requests for a certain domain go to the proper box?
I realize a question similar to this was discussed in a previous thread- 'shorewall - rules for multiple local sites' - but there were never any configuration files for me to compare aginst my own configs. also, toward the end of the thread a moderator mentioned that the way that the forwarding was configured was strange, but not knowing what a 'standard' way of doing this is, I cannot tell.
Please help!
Old 07-15-2004, 09:51 AM   #2
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Rep: Reputation: 15
Ok, maybe I'm a bit stupid... no, I'm stupid, but I'm not sure I catch the problem.
Let's start from the beginning. You have a webserver in your local network and you want people from the internet to access it, right?
how to send requests to the proper http server
you mean how to tell the Linux box to forward traffic to your webserver?

I'm not into shorewall, but as far as I know it is a graphical interface for iptables, so I can give you iptables advices to do this task.
Notice, this is just an example, it is important to understand that shorewall may use variables, bash commands and conditional statements. Be careful on where you insert these commands... in other words, read the code.

Let's assume your webserver has as address, ok?

First, let's tell the box that when it receives data on port 80 it must forward it to the webserver:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination
Add this roule near to the other PREROUTING statements.
Next, assuming shorewall is using DROP as FORWARD POLICY (do you see something like iptables -P FORWARD DROP anywere? good), let's tell iptables that port 80 is okay.
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport80 -j ACCEPT
Add this rule before any other statement simillar to it (iptables -A ....).

Ok, reload your script and see... note that since i'm not sure how shorewall generates rules, many things could go... somehow wrong (not risky anyway).
If you still have problems, it could be a good idea to post your rule file here.
Good luck!


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Traffic shaping (limiting outgoing bandwidth of all TCP-traffic except FTP/HTTP) ffkodd Linux - Networking 3 10-25-2008 12:09 AM
Possible? 1 public subnet/1 private; 1 host: traffic out the way it came in? JMCraig Linux - Networking 8 10-17-2005 08:12 PM
how to find http traffic and mail traffic alone? basbosco Linux - General 1 06-07-2005 10:29 PM
Incorrect destination addy on subnet traffic af_dave Linux - Security 5 08-29-2004 02:43 AM
Can't ping/ssh my box, Shorewall seems to block all traffic except http / ftp tiduck Linux - Networking 10 05-22-2003 09:21 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:16 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration