multiple webservers behind iptables

Hudson Delbert J Contr 61 CS/SCBN Delbert.Hudson at LOSANGELES.AF.MIL
Thu Feb 10 00:10:38 CET 2005 

raul,

edu.ar doesn't resolve so none of the rest of the fqdn will either.

the domain doesnt even resolve...whois from internic.net reports
that the edu.ar subdomain doesn exist or is lame.
Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for domain "EDU.AR".

>>> Last update of whois database: Wed, 9 Feb 2005 07:51:57 EST <<<

-----Original Message-----
From: netfilter-bounces at lists.netfilter.org
[mailto:netfilter-bounces at lists.netfilter.org]On Behalf Of Jason
Opperisano
Sent: Wednesday, February 09, 2005 2:45 PM
To: netfilter at lists.netfilter.org
Subject: Re: multiple webservers behind iptables


On Wed, 2005-02-09 at 13:24, Raul I. Becette wrote:
> Hello list
> 
> This is my first post.
> I am in charge of a LAN connected to internet through a firewall box 
> PIII 500MHz with iptables 1.2.10.
> 
> There are different internal webservers that I don't adminnister and are 
> located physically in different parts of the building.
> There is an internal DNS server which I administer to resolve internal 
> www queries.
> 
> My problem is that from the outside I cannot access those webservers 
> when I type www.xxx.unp.edu.ar (xxx being the name of the server).
> My net schema is the following

um--not to be silly, but does www.xxx.unp.edu.ar resolve to an IP
address externally?

>                                      INTERNET
> Mail Relay            Main Web Server             Router
> 
> 
> -------------------------Firewall--------------------------------
> 
> 
> POP Server         Proxy         Webserver1      Webserver2
>                                          LAN
> 
> My question is how can I use iptables rules to be able to access those 
> servers from the outside.

depends on whether you need to use NAT to make the servers accessible
from the Internet (i will assume you do not).  for each webserver IP,
add a rule like:

  iptables -A FORWARD -i $EXT_IF -p tcp --syn -d $WEB_SRV_IP \
    --dport 80 -j ACCEPT

this assumes that somewhere above this rule you have:

  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-j

--
"Me fail English? That's unpossible."
	--The Simpsons

More information about the netfilter mailing list