iptables: hide the real web server from users
Grant Taylor
gtaylor at riverviewtech.net
Wed Feb 14 18:59:29 CET 2007
Tim Perton wrote:
> Dear Grant,
> thank you very much for your quick reply.
You are welcome.
> I agree to the 3 conditions/caveats in your previous
> email. I have already tried an example on this.
> Let's say I want to connect to www.google.com
> (216.239.59.103) so System B is www.google.com
Ok.
> According to your example I issue the following
> commands (after stop/start iptables to be fresh):
>
> iptables -A INPUT -p tcp -m tcp --dport 1099 -j ACCEPT
What filtering do you have in place? If you do not have default
policies of ACCEPT, you will also need to add rules to your
filter:FORWARD chain to allow this traffic to pass through. I.e.
iptables -A FORWARD -i eth0 -o eth0 -d 216.239.59.103 -p tcp --dport 80
-j ACCEPT
iptables -A FORWARD -i eth0 -o eth0 -s 216.239.59.103 -p tcp --sport 80
-j ACCEPT
> iptables -t nat -A PREROUTING -i eth0 -d a.b.c.d -p
> tcp --dport 1099 -j DNAT --to-destination
> 216.239.59.103:80
>
> iptables -t nat -A POSTROUTING -o eth0 -d
> 216.239.59.103 -p tcp --dport 1099 -j SNAT --to-source
> a.b.c.d
These commands look ok to me.
> I am trying http://a.b.c.d:1099 or with telnet
> a.b.c.d 1099 (Trying a.b.c.d... telnet: Unable to
> connect to remote host: Connection refused)
I think you will have better luck playing with telnet to start with.
Keep in mind that just because you enter "http://a.b.c.d..." in your web
browser, you are doing more than connecting to that address. You are
also asking for a page off of the domain a.b.c.d. So for testing, I'd
stick with telnet, or set up a temporary hosts entry for the test domain.
Grant. . . .
More information about the netfilter
mailing list