Re: IP masquerading rules

To: debian-isp@lists.debian.org
Subject: Re: IP masquerading rules
From: Larry Morrow <larry@a-plus.net>
Date: Sat, 25 Mar 2000 11:20:59 +0000
Message-id: <3.0.32.20000325112058.047c7bc0@pluto.a-plus.net>

Hi Jeremy,

You have to do some port forwarding on the Linux router.  Look for ipportfw
on your debian box.  If not search it out on the net and install it.

Look in the man pages and set up a rule that forwards things coming in
on port 80 to the internal webserver.

As far as ssh is concerned, if you want to connect to both the router and the
internal web server, you will have to forward another port on the router
to the ssh port on the internal webserver.

Basically you redirect from, lets say port 1717 on the router to port 22 on
the 
internal webserver.  Then when  you connect to port 22 from the outside you
will connect to the router and when you connect to port 1717 you will be 
redirected to ssh on the internal webserver.

Hope this all helps and not confuses the issue.

Larry

At 11:57 PM 3/24/00 -0800, Jeremy C. Reed wrote:
>I am trying to setup a webserver that has only an internal (non-world) IP
>of 10.2.1.235.
>
>The router is a Debian 2.1 (with Linux 2.0.36 kernel) box. The Linux
>router has:
>  route add -net 10.2.1.0 netmask 255.255.255.0 eth1:0
>  ifconfig eth1:0 10.2.1.1 netmask 255.255.255.0 up
>(10.2.1.1 is the default gateway for the webserver.)
>
>My workstation (which has a regular world-routeable IP) can ping
>to the webserver through the Linux router. Plus it can browse webpages
>served from the 10.2.1.235 webserver.
>
>Also, from the workstation I can ssh into the webserver, but it takes over
>a minute to complete, because the webserver has no access to any dns
>server.  (It has no internet access.) 
>
>When I do a:
>  ipfwadm -F -a m -S 10.2.1.0/24 -D 0.0.0.0/0
>on the Linux router, the webserver has access to the world. But then I can
>no longer ssh to it from my workstation. I can also no longer get
>webpages from it. I CAN still ping it. 
>
>I guess this happens because now all packets coming from the 10.2.1.235
>webserver are masqueraded as the Linux router's IP. I am not sure why the
>ping packets from the webserver get back to me, but the ssh/http responses
>never get back. (A new sshd never starts up.)
>
>(Also, when I assign a an additional regularly routed IP on the interface
>on the webserver, I can access it via ssh, http, ping and it can access
>the world fine. Even though I connect to it every time using the same
>10.2.1.235 address, plus everything else is still the same. I do not even
>use this new IP. This does not make sense to me!) 
>
>1) How can I set it up so any of my internal machines which use the Linux
>router can happily communicate with the webserver? In other words, how can
>I setup some ipfwadm policy so that the router won't masquerade packets if
>it is communicating from within our lan? 
>
>2) How do I set it up so my router will route all (from the outside world)
>traffic to one of its IPs to the 10.2.1.235 internal IP? 
>
>If you have any specific URLs, I'd appreciate it. Thanks.
>
>  Jeremy C. Reed
>....................................................
>     BSD software, documentation, resources, news...
>     http://bsd.reedmedia.net
>
>
>--  
>To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
>with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

Reply to:

Prev by Date: IP masquerading rules
Next by Date: Re: IP masquerading rules
Previous by thread: Re: IP masquerading rules
Next by thread: apache VH help
Index(es):
- Date
- Thread