Web servers behind nat
Arnoud Buurman
a.buurman@wxs.nl
Wed, 10 Oct 2001 08:59:18 +0200
oh, having seccond thoughts, in case of dmz you can leave out the second
rule. This rule is only there to ensure the packet is traversing the
firewall on it's way back, which in case of a dmz is done automaticaly.
Arnoud
> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org]On Behalf Of Visitor
> Sent: Tuesday, October 09, 2001 6:56 PM
> To: netfilter@lists.samba.org
> Subject: Re: Web servers behind nat
>
>
> I have this situation and my web server is visible from the Internet.
> The problem is that internal users can not see the web server
> using the
> real internet ip address. How do I fix this?
>
> Thanks,
>
> Visitor
> visitor@thisbox.com
>
>
> Phil Barbier wrote:
>
> >OK - this is perfectly possible here...
> >
> >What you need to do is give your existing card that has the
> real IP some
> >more IPs, this is achieved by typing the following
> >
> >ifconfig <card>:1 <new IP>
> >
> >eg,
> >
> >ifconfig eth0:1 192.168.1.1
> >ifconfig eth0:2 192.168.1.2
> >
> >etc. etc.
> >
> >You can Source NAT it for outbound traffic, you will also need to
> >Destination NAT (DNAT) it as well.
> >
> >Say, your real IP is 1.1.1.1 and your other real IP (for
> your web server) is
> >1.1.1.2 and your internal IP for your NAT box is 10.0.0.1
> and your internal
> >IP for your webserver is 10.0.0.2 you will need the following for web
> >service to work.
> >
> >iptables -t nat -I PREROUTING 1 -j DNAT -s 0.0.0.0/0 --dport
> 80 -d 1.1.1.2
> >--to 10.0.0.2
> >
> >with the eth card of the real IPs already holding both
> 1.1.1.1 and 1.1.1.2
> >
> >Hope this is helpful,
> >
> >Regards,
> >
> >Phil Barbier.
> >
> >--
> >Phil Barbier
> >Registered Linux User #227794
> >Direct Line + 44 (0) 1782 384652
> >Web Developer
> >Online-Bills Ltd
> >http://www.online-bills.com/
> >mailto:p.barbier@online-bills.com?subject=from_email
> >
> >
>