Re-Direct Acess from one server to another

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

jeffery
Forum Contributor
Posts: 105
Joined: Mon Apr 03, 2006 3:13 am
Location: Melbourne, Australia
Contact:

Re-Direct Acess from one server to another

Post by jeffery »

I don't know how to explain what I am after, so I have made an illustration of what I am trying to do. Please look here:
Image

Any help appreciated.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

A reverse proxy might solve your problem.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

It is called port forwarding. Make a google search on it.

And there is the solution:

0. Suppose we have these:

Server 1 NIC connected to Internet: eth0
Server 1 NIC connected to LAN: eth1
Server 1 public IP (on eth0): 1.1.1.1
Server 1 private IP (on eth1): 2.2.2.1
Server 1 WWW port to forward: 8080

Server 2 private IP : 2.2.2.2
Server 2 WWW port: 80

1. Then we execute
On Server 1:

Code: Select all

iptables -t nat -I PREROUTING -i eth0 -p tcp -d 1.1.1.1 --dport 8080 -j DNAT --to-destination 2.2.2.2:80
iptables -I FORWARD -p tcp -s 2.2.2.2 --sport 80 -j ACCEPT
iptables -I FORWARD -p tcp -d 2.2.2.2 --dport 80 -j ACCEPT

On Server 2:

Code: Select all

/sbin/route add default gw 2.2.2.1 metric 1
PS: You don't need to install any proxies for a simple task like this. It is Linux ;)
Last edited by VladSun on Wed Aug 29, 2007 5:38 am, edited 1 time in total.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

Also, there are two major reasons for using iptables instead of a proxy:

1. There is no need to jump to OSI Layer 7 - no functionality, just complexity is added. That means there would be more resources used without any advantages achieved.

2. Using proxy would add another layer of insecurity - new exploits, DoS etc. At the sime time, iptables is a must for every well configured Linux server - it is its firewall.
There are 10 types of people in this world, those who understand binary and those who don't
jeffery
Forum Contributor
Posts: 105
Joined: Mon Apr 03, 2006 3:13 am
Location: Melbourne, Australia
Contact:

Post by jeffery »

Thanks Volka for your reverse proxy suggestion. I will keep that in mind. I am leaning towards VladSun's Iptable setup.

So to get this iptables setup working, I believe Server 1 needs two NIC's ?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

I think it doesn't need 2 NICs, but I have never tried it. Still, I am almost sure it will work with 1 NIC without any modifications.

What is your network topology - connections between LAN, Internet, switches, servers? How do you connect to Internet - by using PPP or not?

PS: I would recomend to have 2 NICs on Server1, thus improving your network security. This way you'll have your Server2 placed in DMZ and it will not be connected directly to public networks like Internet.
There are 10 types of people in this world, those who understand binary and those who don't
jeffery
Forum Contributor
Posts: 105
Joined: Mon Apr 03, 2006 3:13 am
Location: Melbourne, Australia
Contact:

Post by jeffery »

I have managed to add an additional ip-address for Server 1using an alias of "stage" and here is the ifconfig output:

Code: Select all

fernandez:~ # ifconfig
eth0      Link encap:Ethernet  HWaddr 00:14:85:06:FA:14
          inet addr:10.0.1.49  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::214:85ff:fe06:fa14/64 Scope:Link
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4679515 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2869820 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1041429383 (993.1 Mb)  TX bytes:238193207 (227.1 Mb)
          Interrupt:177 Base address:0xc000

eth0:stag Link encap:Ethernet  HWaddr 00:14:85:06:FA:14
          inet addr:10.0.1.50  Bcast:10.0.1.255  Mask:255.255.255.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:177 Base address:0xc000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:14009 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14009 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:20708692 (19.7 Mb)  TX bytes:20708692 (19.7 Mb)
So I still have one NIc but two ip-addresses now.

whereas the Server 2 ifconfig is:

Code: Select all

Basilisk-Lizard:~ # ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3E:A2:90:63
          inet addr:10.0.1.101  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fea2:9063/64 Scope:Link
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:391276 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13091 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:54623375 (52.0 Mb)  TX bytes:2943558 (2.8 Mb)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)
does that mean all I have to do is execute on Server 1:

Code: Select all

iptables -t nat -I PREROUTING -i eth0 -p tcp -d 10.0.1.49 --dport 8080 -j DNAT --to-destination 10.0.1.101:80
iptables -I FORWARD -s 10.0.1.101 --sport 80 -j ACCEPT
iptables -I FORWARD -d 10.0.1.101 --dport 80 -j ACCEPT
and then execute on Server 2:

Code: Select all

/sbin/route add default gw 10.0.1.50 metric 1
Would you be kind in explaining to me what each of those commands perform. Thanks
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

jeffery wrote: does that mean all I have to do is execute on Server 1:

Code: Select all

iptables -t nat -I PREROUTING -i eth0 -p tcp -d 10.0.1.49 --dport 8080 -j DNAT --to-destination 10.0.1.101:80
iptables -I FORWARD -s 10.0.1.101 --sport 80 -j ACCEPT
iptables -I FORWARD -d 10.0.1.101 --dport 80 -j ACCEPT
and then execute on Server 2:

Code: Select all

/sbin/route add default gw 10.0.1.50 metric 1
Would you be kind in explaining to me what each of those commands perform. Thanks
Yes, I think so. But I would strongly suggest not to mess up with your ISP subnets, but to choose other for your private network - e.g. 192.168.12.0/24. Use 2 IPs of this network for eth0:stag and Server2.

The first iptables rule makes the real port-forwarding - it is pretty self-explainable. If Server2 had a connection to Internet, it would be the only command to execute. Thus, the next 2 iptables rules simply permit Internet access to port 80 (it is overwritten to 8080 at Server1) on Server2.
The route command tells Server2 where to send packets which are not local (and packets with public IPs, i.e. Internet, are not local :) ).
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

I'd get a WRT54GL router and use port forwarding. Sounds like the safest bet to me..

If you do get the WRT54GL (that exact model name is important!!!) you can use custom firmwares from http://wrtrouters.com for added performance and stability. I use Thibor's HyperWRT personally. It's a great setup!
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

It's a three-lines-of-code-solution - why to spend money on something else? Server 1 is already online and running :)

And additionally to the above reason #2 "properties", we would have yet another - another point of failure ;)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

Hm, WRT54GL has 16MB RAM ... - port-forwarding requires connection tracking. And connection tracking requires memory ;)
Indeed it doesn't require much memory, but still it might be vulnerable to DoS attacks.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

By the way, jeffery, you have private IP address assigned by your ISP. So, you don't have a public IP. This mean that you are behind a NAT router and most probably you can't have any kind of Internet service accessible from outside (i.e. Internet).
Is this the case or you gave us fake IPs?
There are 10 types of people in this world, those who understand binary and those who don't
jeffery
Forum Contributor
Posts: 105
Joined: Mon Apr 03, 2006 3:13 am
Location: Melbourne, Australia
Contact:

Post by jeffery »

VladSun wrote:By the way, jeffery, you have private IP address assigned by your ISP. So, you don't have a public IP. This mean that you are behind a NAT router and most probably you can't have any kind of Internet service accessible from outside (i.e. Internet).
Is this the case or you gave us fake IPs?
Hi VladSun,

Ok this is the setup of the machines at my work. We are connected to our ISP with our router and only certain machines with specific mac-addresses are publicly accessible to the outside world. One of them is Server 1. Server 2 is a Virtual Machine which does not have access from the outside world. I am not the sys-admin who has setup all this so I wouldn't have the answers to all you have asked, but I will try to find them.
VladSun wrote:is this the case or you gave us fake IPs?
These are in-fact private ip's.. but as I said above the public ip is associated depending on the mac-address of the machine connected to the network. I don't know how this is done as I am not the main person who set it up.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

Then there are two options for configuring your office router:
1. You'll need to setup port-forwarding for port 8080 (e.g.) to Server 1 and continue with the setup I've suggested.

or preferable:

2. Enable port forwarding for port 8080 directly to Server 2 and let the Apache listen to this port.
There are 10 types of people in this world, those who understand binary and those who don't
jeffery
Forum Contributor
Posts: 105
Joined: Mon Apr 03, 2006 3:13 am
Location: Melbourne, Australia
Contact:

Post by jeffery »

VladSun,

I can't get the following two commands working"

Code: Select all

iptables -I FORWARD -s 2.2.2.2 --sport 80 -j ACCEPT
iptables -I FORWARD -d 2.2.2.2 --dport 80 -j ACCEPT
It bails out with "Unknown arg `--dport'" and iptables -h doesn't show that being one of the options
Post Reply