[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
HiIm sure this has worked for me in the past, but this time NAT doesn't work, i can't see whats wrong. any ideas?
The NAT firewall server is running CentOS 4.6 (Redhat Clone). selinux is off the 169.254 IP is for test purposes only Was based on the following URL http://www.cyberciti.biz/faq/linux-demilitarized-zone-howto/ my test script as follows: #! /bin/bash echo "1" > /proc/sys/net/ipv4/ip_forward # echo "1" > /proc/sys/net/ipv4/ip_dynaddr # net.ipv4.ip_forward=1 # net.ipv4.conf.all.rp_filter=1 # net.ipv4.icmp_echo_ignore_broadcasts=1 IPTABLES="/sbin/iptables" EXT_IP1="169.254.5.205"; INT_IP1="10.11.5.54"; EXTIF="eth0"; INTIF="eth1"; # iptables --flush # Flush all the rules in filter and nat tables # iptables --table nat --flush # iptables --delete-chain # Delete all chains that are not in default filter and nat table # iptables --table nat --delete-chain iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT # Outside eth0 forward to int eth1 ##iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Route incoming HTTP (port 80 )iptables -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXT_IP1 --dport 80 -j DNAT --to-destination $INT_IP1 iptables -t nat -A POSTROUTING -p tcp -o $INTIF -s $INT_IP1 -j SNAT --to-source $EXT_IP1
# Route incoming HTTPS (port 443 )iptables -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXT_I/etP1 --dport 443 -j DNAT --to-destination $INT_IP1 iptables -t nat -A POSTROUTING -p tcp -o $INTIF -s $INT_IP1 --dport 443 -j SNAT --to $EXT_IP1
iptables -t nat -L ######################## # script end # ########################At the end of the day i am trying to Proxy a hidden server to the web with out showing it's real network info.
I tried Squid as a reverse proxy, but found i could only get port 80 to proxy. I wanted port 21 and 443 to also proxy but wouldn't work. The SSL (443) cert is based on Domain name only so IP doesn't affect it as long as the domain name resolves to the external IP.
Network diagram attached Regards Sam
Attachment:
LaCLUGnatQ.gif
Description: GIF image
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html