Discussion:
PAT HOW to - IPTABLES
Indunil Jayasooriya
2007-12-10 10:20:31 UTC
Permalink
Hi,

I have a box running with iptables and iproute2. it has 3 ethernet cards.
One for the internet. another for LAN and yet another for DMZ.

@ DMZ ZONE I have 3 web servers. But I have only one real ip on my firewall.
Now , I want to forward port 80 to theese 3 web servers.

How can I do it?

I searched a lot from google. But, still no luck.
--
Thank you
Indunil Jayasooriya
Alexandre J. Correa - Onda Internet
2007-12-10 11:32:18 UTC
Permalink
you can use squid as reverse proxy ..

see cache_peer !!

squid can load balance between 3 servers and cache it !!

run squid on your box with real ip..

here you can see examples
http://under-linux.org/7964-squid-atuando-como-proxy-reverso.html

(pt-br)
Post by Indunil Jayasooriya
Hi,
I have a box running with iptables and iproute2. it has 3 ethernet
cards. One for the internet. another for LAN and yet another for DMZ.
@ DMZ ZONE I have 3 web servers. But I have only one real ip on my
firewall. Now , I want to forward port 80 to theese 3 web servers.
How can I do it?
I searched a lot from google. But, still no luck.
--
Thank you
Indunil Jayasooriya
------------------------------------------------------------------------
_______________________________________________
LARTC mailing list
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
--
Sds.

Alexandre Jeronimo Correa

Onda Internet - http://www.ondainternet.com.br
OPinguim Hosting - http://www.opinguim.net

Linux User ID #142329

UNOTEL S/A - http://www.unotel.com.br
Indunil Jayasooriya
2007-12-10 10:39:52 UTC
Permalink
Post by Alexandre J. Correa - Onda Internet
see cache_peer !!
squid can load balance between 3 servers and cache it !!
run squid on your box with real ip..
Thanks for your quick answer. I know about reverse proxy. I wanted to know
that without squid, whether iptables it self can handle this situation.
Suppose, I have 3 mail servers @ DMZ zone with one real ip. the situation
as before?

in that case, What can I do?


Hope to hear form you.
--
Thank you
Indunil Jayasooriya
Alex Samad
2007-12-10 21:29:32 UTC
Permalink
Post by Indunil Jayasooriya
Post by Alexandre J. Correa - Onda Internet
see cache_peer !!
squid can load balance between 3 servers and cache it !!
run squid on your box with real ip..
Thanks for your quick answer. I know about reverse proxy. I wanted to know
that without squid, whether iptables it self can handle this situation.
as before?
in that case, What can I do?
your could use exim/postfix and route the mail to the right server, but I guess
you are trying to find out how to have port 25 on the real ip nat'ed to one of
the 3 dmz'ed ip based upon the destination mail address

short answer you can't as far as I know, iptables only looks at src ip / src
port & dest ip/dest port. You could write your own plugin module to look into
the tcp stream.
Post by Indunil Jayasooriya
Hope to hear form you.
--
Thank you
Indunil Jayasooriya
_______________________________________________
LARTC mailing list
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Radek 'Goblin' Pieczonka
2007-12-10 23:19:22 UTC
Permalink
Post by Alex Samad
Post by Indunil Jayasooriya
as before?
in that case, What can I do?
your could use exim/postfix and route the mail to the right server, but I guess
you are trying to find out how to have port 25 on the real ip nat'ed to one of
the 3 dmz'ed ip based upon the destination mail address
short answer you can't as far as I know, iptables only looks at src ip / src
port & dest ip/dest port. You could write your own plugin module to look into
the tcp stream.
based upon destination email address/domain could be done by postfix and
transports for selected mail/domain to selected server. but there is
also a possibility of load balancing and failover for set of domains
with all servers working with all the domains for HA and flexibility of
computing power, then id say take a look at keepalived for both those
features. for http traffic its actually the same, and also you can
consider apache reverse proxy feature.
--
Radek aka Goblin
Alex Samad
2007-12-11 08:16:35 UTC
Permalink
Post by Radek 'Goblin' Pieczonka
Post by Alex Samad
Post by Indunil Jayasooriya
as before?
in that case, What can I do?
your could use exim/postfix and route the mail to the right server, but I
guess you are trying to find out how to have port 25 on the real ip nat'ed
to one of the 3 dmz'ed ip based upon the destination mail address
short answer you can't as far as I know, iptables only looks at src ip /
src port & dest ip/dest port. You could write your own plugin module to
look into the tcp stream.
based upon destination email address/domain could be done by postfix and
transports for selected mail/domain to selected server. but there is also a
possibility of load balancing and failover for set of domains with all
servers working with all the domains for HA and flexibility of computing
power, then id say take a look at keepalived for both those features. for
http traffic its actually the same, and also you can consider apache
reverse proxy feature.
he only has 1 real ip

[silly idea]
of course could be really tricky and use an ipv6 to ipv4 address and name all
the dmz servers with ipv6 (in dns as well), really relying upon clients to be
ipv6 enable
[/silly idea]
Post by Radek 'Goblin' Pieczonka
--
Radek aka Goblin
_______________________________________________
LARTC mailing list
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Grant Taylor
2007-12-11 15:31:26 UTC
Permalink
Post by Indunil Jayasooriya
@ DMZ ZONE I have 3 web servers. But I have only one real ip on my
firewall. Now , I want to forward port 80 to theese 3 web servers.
How can I do it?
Like someone else suggested, run a reverse proxy on one system. You
could either run it on the firewall or a fourth system in the DMZ so
that you are not running it on the firewall. Use this reverse proxy to
intelligently redirect queries that come in to it to the correct back
end server.

In short, you are forwarding HTTP traffic to an application layer
gateway that is intelligent enough to pick the proper back end system to
handle the requests. For SMTP, you would use something like Sendmail
with Mailertable.

With regards to others comments about the single IP and not being able
to communicate with the internal servers, you can use private IP
addresses in your DMZ with out a problem so long as they are all hidden
from the world by your NATing router such that everyone would think that
all your services are coming off of your one single external IP. You
will need to pay attention to SMTP Hello names as well.

Also be aware that you are having a lot depend on connection tracking on
the NATing router, thus have a finite number of resources that are being
shared by multiple systems. If it is still in place you may want to
consider running stateless nat (IPRoute2) for your traffic coming in to
said systems so that that traffic will not exceed conntrack.



Grant. . . .

Loading...