Subj : Re: HTTP SERVER ON FORWARDED MACHINE To : comp.os.linux.networking,comp.os.linux,comp.os.linux.redhat,comp.os.linux.security,comp.os.linux.misc From : John-Paul Stewart Date : Tue Aug 24 2004 02:38 pm JoeAley2003 wrote: > John-Paul Stewart wrote in message news:... > >>JoeAley2003 wrote: >> >>>Hi all... >>> >>> >>> I have a redhat linux 9 connected to the internet and 1 computer that >>>receives internet forwarded from the linux. >>> >>> What i need is to run a valid on internet http server on this >>>forwarded computer where i run apache on port 80. >> >>Use these as a starting point: >> >>iptables -A FORWARD -s 0.0.0.0/0 -d $IP_INTERNET -p tcp \ >> --destination-port 80 -j ACCEPT >> >>iptables -t nat -A PREROUTING -d $IP_INTERNET -j DNAT \ >> --to-destination >> >>iptables -t nat -A POSTROUTING -o $IFACE_INTERNET \ >> -s -j SNAT --to-source $IP_INTERNET >> >>Those will almost certainly need some modification to suit your >>situation. They're based on my setup where externally visible machines >>get 1-1 NATed, since I have more than one publically visible IP address. >> But the idea should get you started. Note that local-ip-address >>refers to the address of the machine running Apache, *not* the local >>address of the machine running iptables. > > > > > Thank you for your reply but those command lines doesn't work. > > Unfortunatly, i did not undertand the "0.0.0.0/0". That's one way of saying "any Internet address". You type in literally "0.0.0.0/0" and iptables interprets it as "anywhere". > Iptables accept all these command lines but, when i request > http://IP_INTERNET from an internet machine, it doesn't work. You do realize that you cannot just type in those exact commands and expect it to work. You need to add the rules at the appropriate places in the chains. For example, I'd make sure the two NAT rules are *first* in their respective NAT chains, and the port 80 rule needs to go early enough in its chain that it will actually take effect. If you just type in the iptables commands, it will place these rules last, and potentially after another (more general) rule which has already denied the packet (thus rendering the new rule useless). Looking back at the original post, I'd suggest putting the first rule I gave you as the first one in the "(4) FOWRARD chain rules" section of your script, and the two new NAT rules before the existing rule in "(6) POSTROUTING chain rules". Getting the rules into the right place in a running firewall is easy enough if you know what you're doing. If not, you can always resort to editing the script and rebooting. .