| Linux Forum Index » Linux Networking » Best way to forward traffic to internal web serwer... |
|
Page 1 of 1 |
|
| Author |
Message |
| Jarek... |
 Posted: Wed Nov 04, 2009 4:33 pm |
|
|
|
Guest
|
Hi all!
I have Linux router with web serwer. This router has three public IPs
and three links to separate providers.
Now I want to setup independent internal web serwer, so I like to
forward ports 80 and 443 to this machine.
I tried to do port forwarding with iptables and iproute, but I can't
find how to direct returning traffic by the same link as incomming.
I guess that it should be done somehow with conntrac, but I have no
idea how to do it.
best regards
J. |
|
|
| Back to top |
|
|
|
| terryc... |
| Posted: Wed Nov 04, 2009 4:33 pm |
|
|
|
Guest
|
On Wed, 04 Nov 2009 22:33:42 +0100, Jarek wrote:
Quote: Hi all!
I have Linux router with web serwer. This router has three public
IPs
and three links to separate providers.
Now I want to setup independent internal web serwer, so I like to
forward ports 80 and 443 to this machine.
I tried to do port forwarding with iptables and iproute, but I
can't
find how to direct returning traffic by the same link as incomming.
I guess that it should be done somehow with conntrac, but I have
no
idea how to do it.
Err, doesn't the router handle this automatically? AFIUI, just because
you forward ports 80 & 443, the packet doesn't loose the origination
address and the web server will just send its reply to that address. Do
you just need to allow the webserver to send packets outside in iptables? |
|
|
| Back to top |
|
|
|
| Pascal Hambourg... |
| Posted: Wed Nov 04, 2009 5:03 pm |
|
|
|
Guest
|
Hello,
Jarek a écrit :
Quote:
I have Linux router with web serwer. This router has three public IPs
and three links to separate providers.
Now I want to setup independent internal web serwer, so I like to
forward ports 80 and 443 to this machine.
I tried to do port forwarding with iptables and iproute, but I can't
find how to direct returning traffic by the same link as incomming.
How did you do when the web server was on the router ? Can't you use the
same method ? |
|
|
| Back to top |
|
|
|
| Jarek... |
| Posted: Wed Nov 04, 2009 5:24 pm |
|
|
|
Guest
|
Pascal Hambourg pisze:
Quote: Hello,
Jarek a écrit :
I have Linux router with web serwer. This router has three public IPs
and three links to separate providers.
Now I want to setup independent internal web serwer, so I like to
forward ports 80 and 443 to this machine.
I tried to do port forwarding with iptables and iproute, but I can't
find how to direct returning traffic by the same link as incomming.
How did you do when the web server was on the router ? Can't you use the
same method ?
Now I have one linux machine working as router and webserver. Router
connectes LAN to internet via 3 independent links, with 3 public IPs.
Now I want to setup DMZ with dedicated webserver. It works if I'm
connecting from internet to IP on which there is default gateway (let
say IP1), but if I'm connecting to IP2, packets are forwarded properly
to webserver, but responding packets are going via IP1.
Jarek |
|
|
| Back to top |
|
|
|
| Pascal Hambourg... |
| Posted: Wed Nov 04, 2009 6:32 pm |
|
|
|
Guest
|
Jarek a écrit :
Quote: Pascal Hambourg pisze:
How did you do when the web server was on the router ? Can't you use the
same method ?
Now I have one linux machine working as router and webserver. Router
connectes LAN to internet via 3 independent links, with 3 public IPs.
You already said that. It does not answer my question. |
|
|
| Back to top |
|
|
|
| Ken Sims... |
| Posted: Thu Nov 05, 2009 12:28 am |
|
|
|
Guest
|
Hi Jarek -
On Wed, 04 Nov 2009 23:24:44 +0100, Jarek <jarek at (no spam) nospam.pl> wrote:
Quote: Now I have one linux machine working as router and webserver. Router
connectes LAN to internet via 3 independent links, with 3 public IPs.
Now I want to setup DMZ with dedicated webserver. It works if I'm
connecting from internet to IP on which there is default gateway (let
say IP1), but if I'm connecting to IP2, packets are forwarded properly
to webserver, but responding packets are going via IP1.
To handle multiple external IP addresses, where the request could have
come in through any of the interfaces, you need one local IP address
on the server for each external IP address. So in your case you need
three IP addressses on the server. They can all be on the same
physical interface.
You DNAT one-to-one between the external IP addresses on the router
and the internal IP addresses on the server.
You use advanced routing to route the outgoing packets based on which
IP address on the server they are coming from. You'll need a special
routing table to match up with each DNAT rule, then advanced routing
rules to point to the special tables.
To handle internal access, you use the advanced routing rules to route
internal traffic using the main routing table before the special rules
kick in.
--
Ken |
|
|
| Back to top |
|
|
|
|
