comp.os.linux.networking
back to index
From: Bubba
Date: Monday, March 17, 2008 1:53 PM
Subject: Re: Port forwarding question
Nicolas BOUTHORS's log on stardate 17 ožu 2008
> If you want to do it based on the URL, then you need to use Apache on
> the gateway with mod_rewrite. Something like this :
>
> RewriteEngine on
> RewriteRule /server1/(.*) http://10.1.2.3/$1 [proxy,qsappend,last]
> RewriteRule /server2/(.*) http://10.1.2.4/$1 [proxy,qsappend,last]
> RewriteRule /server3/(.*) http://10.1.2.5/$1 [proxy,qsappend,last]
I might try that one, thx.
> If you want to do it with iptables/netfilter then you could do
> something like this :
>
> iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 10.1.2.3:80
> iptables -t nat -A PREROUTING -p tcp --dport 8081 -j DNAT --to 10.1.2.4:80
> iptables -t nat -A PREROUTING -p tcp --dport 8082 -j DNAT --to 10.1.2.5:80
Here's my whole iptables:
#!/bin/sh
#Flush current rules
iptables=/sbin/iptables
$iptables -F
$iptables -t nat -F
#Setup default policies to handle unmatched traffic
$iptables -P INPUT ACCEPT
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD DROP
LAN="eth1"
WAN="ppp0"
#Then we lock our services so they only work from the LAN
$iptables -I INPUT 1 -i ${LAN} -j ACCEPT
$iptables -I INPUT 1 -i lo -j ACCEPT
$iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
$iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
$iptables -A INPUT -p UDP --dport 123 -i ${LAN} -j ACCEPT
#SSH access
$iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
#HTTP access
$iptables -A INPUT -p TCP --dport 80 -i ${WAN} -j ACCEPT
#Drop TCP / UDP packets to privileged ports
$iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
$iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
#NAT
$iptables -I FORWARD -i ${LAN} -d 192.168.1.0/255.255.255.0 -j DROP
$iptables -A FORWARD -i ${LAN} -s 192.168.1.0/255.255.255.0 -j ACCEPT
$iptables -A FORWARD -i ${WAN} -d 192.168.1.0/255.255.255.0 -j ACCEPT
$iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
#Port forward is OK!
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#Port forwarding
$iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i ${WAN} -j DNAT --to 192.168.1.2
I already tried with port forwarding similar to yours, but failed. Any
idea why? I did something like this:
$iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.1.252
however, regardless of that, I still get the web server from the
gateway when I try to connect from the internet to my domain.
--
Everything will be okay
in the end.
If it's not okay
it's not the end!
