Thanks again, For whatever reason, I simply can't get this to work. I tried your two rdr rules, reloaded them into ipnat, but I am still unable to connect to the webserver from my client. For clarity's sake, let me draw a picture of my setup:
|------------| |------------| | | | Solaris 10 | | Client |------------>| ipfilter | | | | webserver | |------------| |------------| There are no machines "behind" my server. All that I am looking to do is prevent the client from having to type http://serveraddr:8080. I would like ipfilter (or ipnat) on the server to redirect all requests on port 80 to port 8080, so the client only needs to navigate to http://serveraddr. Having the webserver listen on another port is not an option. Can ipfilter accomplish this, and if not, is there anything that will? Thanks, Brad Mann Software Engineer - Information Access Services HARRIS Corporation / GCSD (321) 984-6292 -----Original Message----- From: Peter Bickel [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 08, 2006 5:23 AM To: Mann, Bradley Cc: [email protected] Subject: Re: Easy port forwarding question Hi Brad I have a single machine with Solaris 9 4/04 IPFilter 3.4.35 Apache 1.3.xx Tomcat 4.xx running Apache on port 10080 and 10443 and doing the redirect to port 80 and 443. I use two IP addresses on ce0 so I can run two web sites on the same host, but that makes no difference to your problem. here my complete ipnat.conf #!/sbin/ipnat -f - # # THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.4.35 # # ce0 - network interface, address a.b.c.d/32 # # # ftp proxy is needed, so that we can use the ftp client # even if we don't use NAT # > map ce0 0/0 -> 0/32 proxy port 21 ftp/tcp # # rsh proxy is needed, so that we can SysDREC to outback # even if we don't use NAT # map ce0 0/0 -> 0/32 proxy port 514 rcmd/tcp # # # rdr ce0 0.0.0.0/0 port 80 -> 0.0.0.0 port 10080 rdr ce0 0.0.0.0/0 port 443 -> 0.0.0.0 port 10443 here the important parts of my ipf.conf # # IPfilter configuration for www.xxxxxxxxx.ch # IPfilter version: 3.4.35 # Hardware: V440 two CPU Ultrasparc III 1062 MHz 4096 MB Ram # 4 x 73 GB HD HW Raid 1 + SW Raid 1 # OS: Solaris 9 (HW 4/04) # # Maintainer: Peter Bickel IDV & Network Consulting # # The following routes should be configured, if not already: # # route add a.b.c.42 localhost 0 # route add a.b.c.43 localhost 0 # block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short # # Receive from internet # pass in on ce0 all head 100 # Antispoofing block in from 127.0.0.0/8 to any group 100 block in from a.b.c.42/32 to any group 100 block in from a.b.c.43/32 to any group 100 # # allow http https to web server # Port 80 (http) is redirected to Port 10080 so we filter on 10080 # Port 443 (https) is redirected to Port 10443 so we filter on 10443 # # # be part of the World Wide Web # pass in quick proto tcp from any to a.b.c.40/29 port = 10080 flags S keep state keep frags group 100 pass in quick proto tcp from any to a.b.c.40/29 port = 10443 flags S keep state keep frags group 100 here my /etc/rc2.d/S60routing #!/sbin/sh # # Copyright (c) 1994 - 2006 by IDV & Network Consulting # All rights reserved. # #ident "@(#)routing 1.7 97/12/08 IDV" case "$1" in start) route add a.b.c.42 localhost 0 route add a.b.c.43 localhost 0 ;; stop) route delete a.b.c.43 localhost route delete a.b.c.42 localhost ;; *) echo "Usage: $0 { start | stop }" exit 1 ;; esac exit 0 this works perfect for me since more than 2 years. HTH Mann, Bradley wrote: > Thanks for the reply Peter, > > I tried your configuration but to no avail. I re-read the faq and I'm > starting to wonder if this will not work for me because of my > configuration. I have Apache Tomcat running on the same machine where > ipfilter is running, and there are no machines "behind" it. Normally, we > connect directly to a single machine's webserver on port 8080. I am > trying to make it so that we connect to this machine's webserver through > port 80 without moving the listening port of the webserver itself. Is > this similar to the configuration you are running? > > Thanks, > > Brad Mann > Software Engineer - Information Access Services > HARRIS Corporation / GCSD > (321) 984-6292 > > -----Original Message----- > From: Peter Bickel [mailto:[EMAIL PROTECTED] > Sent: Monday, August 07, 2006 5:45 PM > To: Mann, Bradley > Cc: [email protected] > Subject: Re: Easy port forwarding question > > Hi Brad > > I do the following successful on Solaris 9 with IPFilter 3.4.35, > so I'm able to run apache as non root user. > > The following settings in ipnat.conf do the trick. > > rdr ce0 0.0.0.0/0 port 80 -> 0.0.0.0 port 10080 > rdr ce0 0.0.0.0/0 port 443 -> 0.0.0.0 port 10443 > > Mann, Bradley wrote: >> I still haven't found a solution to this seemingly simple problem. Any >> ideas on how to redirect port 80 to another port on the same machine >> using ipnat are greatly appreciated. >> >> Thanks, >> >> Brad Mann >> Software Engineer - Information Access Services >> HARRIS Corporation / GCSD >> (321) 984-6292 >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Spenner >> Sent: Monday, August 07, 2006 1:45 PM >> To: [email protected] >> Subject: Re: Easy port forwarding question >> >> Jim: >> Was there more to this thread? >> I'm trying to accomplish something similar but >> having no luck. Assume there is NO ipf.conf for >> simplicity. >> Also, does the machine need to be routing for a port >> redirect to a port on the same system? >> >> My example: I have a tcp server listening on port >> 19000. I wish to 'copy' that to port to 12321, such >> that anyone connecting to 12321 will get the same data >> as if connecting to 19000. tcp/19000 is not bound to >> any particular interface, so 127.0.0.1:19000 and >> 10.0.0.6:19000 both are valid. >> >> I've tried variations on: >> >> rdr eri1 10.0.0.6/32 port 12321 -> 10.0.0.6 port 19000 >> or >> rdr eri1 0.0.0.0/0 port 12321 -> 10.0.0.6 port 19000 >> >> I was a bit confused by the example/problem below. It >> seems the source/destination is backwards, or perhaps >> my order is backwards? I've tried swapping just in >> case, but had no luck. >> >> Any help would be great. >> >> Thanks! >> >> >> >> --- Jim Sandoz <[EMAIL PROTECTED]> wrote: >> >>> brad, >>> ok, someplace to start -- at the beginning. >>> >>> (1) >>> on the ipf machine, what happens when you >>> $ telnet 127.0.0.1 8080 ? >>> >>> (2) >>> as root, what is the output of >>> # ipnat -slv ; ipfstat -v ? >>> >>> (3) >>> as root, type this in your >>> xterm/console/ssh/whatever session: >>> # snoop -Vr -d bge0 port 80 or port 8080 >>> now initiate a browser connection from the remote >>> machine; >>> record the snoop output for us. >>> >>> now repeat step (2). >>> >>> jim >>> >>> >>> Mann, Bradley wrote: >>> >>>> Thanks for the help, >>>> >>>> My ipf.conf file is blank. (Comments only) >>>> >>>> ipnat.conf has a single line: >>>> rdr bge0 0.0.0.0/0 port 80 -> 127.0.0.1 port 8080 >>>> >>>> ifconfig -a outputs the following: >>>> lo0: >> flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> >>> mtu >>>> 8232 index 1 >>>> inet 127.0.0.1 netmask ff000000 >>>> bge0: >>> flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> >>> mtu 1500 index >>>> 2 >>>> inet 158.147.51.44 netmask ffffff00 >>> broadcast 158.147.51.255 >>>> ether 0:3:ba:f2:e1:a4 >>>> >>>> Brad Mann >>>> Software Engineer - Information Access Services >>>> HARRIS Corporation / GCSD >>>> (321) 984-6292 >> >> __________________________________________________ >> Do You Yahoo!? >> Tired of spam? Yahoo! Mail has the best spam protection around >> http://mail.yahoo.com >> > > -- Gruss Pitsch ________________________________________________________________________ __ Peter Bickel e-mail: [EMAIL PROTECTED] IDV & Network Consulting Telephone: +41 44 853 24 16 Gumpenwiesenstrasse 38 Fax: +41 44 853 27 04 CH-8157 Dielsdorf Mobile: +41 79 666 15 50 Switzerland Web: http://www.idv.ch/ ________________________________________________________________________ __
