Page 1 of 2
Re-Direct Acess from one server to another
Posted: Sat Aug 25, 2007 9:59 pm
by jeffery
I don't know how to explain what I am after, so I have made an illustration of what I am trying to do. Please look here:
Any help appreciated.
Posted: Sun Aug 26, 2007 4:52 am
by volka
A
reverse proxy might solve your problem.
Posted: Sun Aug 26, 2007 6:36 am
by VladSun
It is called port forwarding. Make a google search on it.
And there is the solution:
0. Suppose we have these:
Server 1 NIC connected to Internet: eth0
Server 1 NIC connected to LAN: eth1
Server 1 public IP (on eth0): 1.1.1.1
Server 1 private IP (on eth1): 2.2.2.1
Server 1 WWW port to forward: 8080
Server 2 private IP : 2.2.2.2
Server 2 WWW port: 80
1. Then we execute
On Server 1:
Code: Select all
iptables -t nat -I PREROUTING -i eth0 -p tcp -d 1.1.1.1 --dport 8080 -j DNAT --to-destination 2.2.2.2:80
iptables -I FORWARD -p tcp -s 2.2.2.2 --sport 80 -j ACCEPT
iptables -I FORWARD -p tcp -d 2.2.2.2 --dport 80 -j ACCEPT
On Server 2:
Code: Select all
/sbin/route add default gw 2.2.2.1 metric 1
PS: You don't need to install any proxies for a simple task like this. It is Linux

Posted: Sun Aug 26, 2007 3:43 pm
by VladSun
Also, there are two major reasons for using iptables instead of a proxy:
1. There is no need to jump to OSI Layer 7 - no functionality, just complexity is added. That means there would be more resources used without any advantages achieved.
2. Using proxy would add another layer of insecurity - new exploits, DoS etc. At the sime time, iptables is a must for every well configured Linux server - it is its firewall.
Posted: Sun Aug 26, 2007 6:09 pm
by jeffery
Thanks Volka for your reverse proxy suggestion. I will keep that in mind. I am leaning towards VladSun's Iptable setup.
So to get this iptables setup working, I believe Server 1 needs two NIC's ?
Posted: Sun Aug 26, 2007 6:13 pm
by VladSun
I think it doesn't need 2 NICs, but I have never tried it. Still, I am almost sure it will work with 1 NIC without any modifications.
What is your network topology - connections between LAN, Internet, switches, servers? How do you connect to Internet - by using PPP or not?
PS: I would recomend to have 2 NICs on Server1, thus improving your network security. This way you'll have your Server2 placed in DMZ and it will not be connected directly to public networks like Internet.
Posted: Sun Aug 26, 2007 8:40 pm
by jeffery
I have managed to add an additional ip-address for Server 1using an alias of "stage" and here is the ifconfig output:
Code: Select all
fernandez:~ # ifconfig
eth0 Link encap:Ethernet HWaddr 00:14:85:06:FA:14
inet addr:10.0.1.49 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::214:85ff:fe06:fa14/64 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4679515 errors:0 dropped:0 overruns:0 frame:0
TX packets:2869820 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1041429383 (993.1 Mb) TX bytes:238193207 (227.1 Mb)
Interrupt:177 Base address:0xc000
eth0:stag Link encap:Ethernet HWaddr 00:14:85:06:FA:14
inet addr:10.0.1.50 Bcast:10.0.1.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:177 Base address:0xc000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:14009 errors:0 dropped:0 overruns:0 frame:0
TX packets:14009 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:20708692 (19.7 Mb) TX bytes:20708692 (19.7 Mb)
So I still have one NIc but two ip-addresses now.
whereas the Server 2 ifconfig is:
Code: Select all
Basilisk-Lizard:~ # ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3E:A2:90:63
inet addr:10.0.1.101 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fea2:9063/64 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:391276 errors:0 dropped:0 overruns:0 frame:0
TX packets:13091 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:54623375 (52.0 Mb) TX bytes:2943558 (2.8 Mb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
does that mean all I have to do is execute on Server 1:
Code: Select all
iptables -t nat -I PREROUTING -i eth0 -p tcp -d 10.0.1.49 --dport 8080 -j DNAT --to-destination 10.0.1.101:80
iptables -I FORWARD -s 10.0.1.101 --sport 80 -j ACCEPT
iptables -I FORWARD -d 10.0.1.101 --dport 80 -j ACCEPT
and then execute on Server 2:
Code: Select all
/sbin/route add default gw 10.0.1.50 metric 1
Would you be kind in explaining to me what each of those commands perform. Thanks
Posted: Mon Aug 27, 2007 4:17 am
by VladSun
jeffery wrote:
does that mean all I have to do is execute on Server 1:
Code: Select all
iptables -t nat -I PREROUTING -i eth0 -p tcp -d 10.0.1.49 --dport 8080 -j DNAT --to-destination 10.0.1.101:80
iptables -I FORWARD -s 10.0.1.101 --sport 80 -j ACCEPT
iptables -I FORWARD -d 10.0.1.101 --dport 80 -j ACCEPT
and then execute on Server 2:
Code: Select all
/sbin/route add default gw 10.0.1.50 metric 1
Would you be kind in explaining to me what each of those commands perform. Thanks
Yes, I think so. But I would strongly suggest not to mess up with your ISP subnets, but to choose other for your private network - e.g. 192.168.12.0/24. Use 2 IPs of this network for eth0:stag and Server2.
The first iptables rule makes the real port-forwarding - it is pretty self-explainable. If Server2 had a connection to Internet, it would be the only command to execute. Thus, the next 2 iptables rules simply permit Internet access to port 80 (it is overwritten to 8080 at Server1) on Server2.
The route command tells Server2 where to send packets which are not local (and packets with public IPs, i.e. Internet, are not local

).
Posted: Mon Aug 27, 2007 4:24 am
by Kieran Huggins
I'd get a WRT54GL router and use port forwarding. Sounds like the safest bet to me..
If you do get the WRT54GL (that exact model name is important!!!) you can use custom firmwares from
http://wrtrouters.com for added performance and stability. I use Thibor's HyperWRT personally. It's a great setup!
Posted: Mon Aug 27, 2007 5:25 am
by VladSun
It's a three-lines-of-code-solution - why to spend money on something else? Server 1 is already online and running
And additionally to the above reason #2 "properties", we would have yet another - another point of failure

Posted: Mon Aug 27, 2007 5:31 am
by VladSun
Hm, WRT54GL has 16MB RAM ... - port-forwarding requires connection tracking. And connection tracking requires memory
Indeed it doesn't require much memory, but still it might be vulnerable to DoS attacks.
Posted: Mon Aug 27, 2007 5:42 am
by VladSun
By the way, jeffery, you have private IP address assigned by your ISP. So, you don't have a public IP. This mean that you are behind a NAT router and most probably you can't have any kind of Internet service accessible from outside (i.e. Internet).
Is this the case or you gave us fake IPs?
Posted: Mon Aug 27, 2007 5:55 am
by jeffery
VladSun wrote:By the way, jeffery, you have private IP address assigned by your ISP. So, you don't have a public IP. This mean that you are behind a NAT router and most probably you can't have any kind of Internet service accessible from outside (i.e. Internet).
Is this the case or you gave us fake IPs?
Hi VladSun,
Ok this is the setup of the machines at my work. We are connected to our ISP with our router and only certain machines with specific mac-addresses are publicly accessible to the outside world. One of them is Server 1. Server 2 is a Virtual Machine which does not have access from the outside world. I am not the sys-admin who has setup all this so I wouldn't have the answers to all you have asked, but I will try to find them.
VladSun wrote:is this the case or you gave us fake IPs?
These are in-fact private ip's.. but as I said above the public ip is associated depending on the mac-address of the machine connected to the network. I don't know how this is done as I am not the main person who set it up.
Posted: Mon Aug 27, 2007 7:17 am
by VladSun
Then there are two options for configuring your office router:
1. You'll need to setup port-forwarding for port 8080 (e.g.) to Server 1 and continue with the setup I've suggested.
or preferable:
2. Enable port forwarding for port 8080 directly to Server 2 and let the Apache listen to this port.
Posted: Mon Aug 27, 2007 5:59 pm
by jeffery
VladSun,
I can't get the following two commands working"
Code: Select all
iptables -I FORWARD -s 2.2.2.2 --sport 80 -j ACCEPT
iptables -I FORWARD -d 2.2.2.2 --dport 80 -j ACCEPT
It bails out with "Unknown arg `--dport'" and iptables -h doesn't show that being one of the options