The webserver is also listening on localhost:8080 as far as I know. If I open a browser and navigate to http://localhost:8080 on the server machine, I am able to access my web page. However, these rules appear to have no affect:
rdr bge0 0.0.0.0/0 port 80 -> 0.0.0.0 port 8080 rdr bge0 0.0.0.0/0 port 443 -> 0.0.0.0 port 8443 Can you see any reason why these shouldn't work? Thanks, Brad Mann Software Engineer - Information Access Services HARRIS Corporation / GCSD (321) 984-6292 -----Original Message----- From: Gary Algier [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 08, 2006 9:55 AM To: Mann, Bradley Cc: [email protected] Subject: Re: Easy port forwarding question I was able to do something like this. I wanted to do some strange RDRs to sendmail running on the same machine. The trick to remember: RDR must send the data to another interface. Nothing says that interface can't be lo0 (localhost). If you can make your web server listen to localhost:8080 as well as webserver:8080, then you can use RDR to make it happen. If you can't make this happen, try using plugdaemon by Peter da Silva to listen to port 80 and send to port 8080. This might use a few more CPU cycles, but I have not found the impact to be high. You can find it at http://www.taronga.com/plugdaemon/. In one case I even used a combination of RDRs and plugdaemon and Solaris zones to process some traffic in strange and mysterious ways. Mann, Bradley wrote: > Thanks again, > > For whatever reason, I simply can't get this to work. I tried your two > rdr rules, reloaded them into ipnat, but I am still unable to connect to > the webserver from my client. For clarity's sake, let me draw a picture > of my setup: > > > |------------| |------------| > | | | Solaris 10 | > | Client |------------>| ipfilter | > | | | webserver | > |------------| |------------| > > There are no machines "behind" my server. All that I am looking to do is > prevent the client from having to type http://serveraddr:8080. I would > like ipfilter (or ipnat) on the server to redirect all requests on port > 80 to port 8080, so the client only needs to navigate to > http://serveraddr. Having the webserver listen on another port is not an > option. Can ipfilter accomplish this, and if not, is there anything that > will? > > Thanks, > > Brad Mann > Software Engineer - Information Access Services > HARRIS Corporation / GCSD > (321) 984-6292 > > -----Original Message----- > From: Peter Bickel [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 08, 2006 5:23 AM > To: Mann, Bradley > Cc: [email protected] > Subject: Re: Easy port forwarding question > > Hi Brad > > I have a single machine with Solaris 9 4/04 IPFilter 3.4.35 > Apache 1.3.xx Tomcat 4.xx running Apache on port 10080 and 10443 > and doing the redirect to port 80 and 443. I use two IP addresses > on ce0 so I can run two web sites on the same host, but that makes > no difference to your problem. > > here my complete ipnat.conf > > #!/sbin/ipnat -f - > # > # THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.4.35 > # > # ce0 - network interface, address a.b.c.d/32 > # > # > # ftp proxy is needed, so that we can use the ftp client > # even if we don't use NAT > # >> map ce0 0/0 -> 0/32 proxy port 21 ftp/tcp > # > # rsh proxy is needed, so that we can SysDREC to outback > # even if we don't use NAT > # > map ce0 0/0 -> 0/32 proxy port 514 rcmd/tcp > # > # > # > rdr ce0 0.0.0.0/0 port 80 -> 0.0.0.0 port 10080 > rdr ce0 0.0.0.0/0 port 443 -> 0.0.0.0 port 10443 > > > here the important parts of my ipf.conf > > # > # IPfilter configuration for www.xxxxxxxxx.ch > # IPfilter version: 3.4.35 > # Hardware: V440 two CPU Ultrasparc III 1062 MHz 4096 MB Ram > # 4 x 73 GB HD HW Raid 1 + SW Raid 1 > # OS: Solaris 9 (HW 4/04) > # > # Maintainer: Peter Bickel IDV & Network Consulting > # > # The following routes should be configured, if not already: > # > # route add a.b.c.42 localhost 0 > # route add a.b.c.43 localhost 0 > # > block in log quick from any to any with ipopts > block in log quick proto tcp from any to any with short > # > # Receive from internet > # > pass in on ce0 all head 100 > # Antispoofing > block in from 127.0.0.0/8 to any group 100 > block in from a.b.c.42/32 to any group 100 > block in from a.b.c.43/32 to any group 100 > # > # allow http https to web server > # Port 80 (http) is redirected to Port 10080 so we filter on 10080 > # Port 443 (https) is redirected to Port 10443 so we filter on 10443 > # > # > # be part of the World Wide Web > # > pass in quick proto tcp from any to a.b.c.40/29 port = 10080 flags S > keep > state keep frags group 100 > pass in quick proto tcp from any to a.b.c.40/29 port = 10443 flags S > keep > state keep frags group 100 > > > here my /etc/rc2.d/S60routing > > #!/sbin/sh > # > # Copyright (c) 1994 - 2006 by IDV & Network Consulting > # All rights reserved. > # > #ident "@(#)routing 1.7 97/12/08 IDV" > > case "$1" in > start) > route add a.b.c.42 localhost 0 > route add a.b.c.43 localhost 0 > ;; > > stop) > route delete a.b.c.43 localhost > route delete a.b.c.42 localhost > ;; > > *) > echo "Usage: $0 { start | stop }" > exit 1 > ;; > esac > exit 0 > > > > this works perfect for me since more than 2 years. > > HTH > > > > Mann, Bradley wrote: >> Thanks for the reply Peter, >> >> I tried your configuration but to no avail. I re-read the faq and I'm >> starting to wonder if this will not work for me because of my >> configuration. I have Apache Tomcat running on the same machine where >> ipfilter is running, and there are no machines "behind" it. Normally, > we >> connect directly to a single machine's webserver on port 8080. I am >> trying to make it so that we connect to this machine's webserver > through >> port 80 without moving the listening port of the webserver itself. Is >> this similar to the configuration you are running? >> >> Thanks, >> >> Brad Mann >> Software Engineer - Information Access Services >> HARRIS Corporation / GCSD >> (321) 984-6292 >> >> -----Original Message----- >> From: Peter Bickel [mailto:[EMAIL PROTECTED] >> Sent: Monday, August 07, 2006 5:45 PM >> To: Mann, Bradley >> Cc: [email protected] >> Subject: Re: Easy port forwarding question >> >> Hi Brad >> >> I do the following successful on Solaris 9 with IPFilter 3.4.35, >> so I'm able to run apache as non root user. >> >> The following settings in ipnat.conf do the trick. >> >> rdr ce0 0.0.0.0/0 port 80 -> 0.0.0.0 port 10080 >> rdr ce0 0.0.0.0/0 port 443 -> 0.0.0.0 port 10443 >> >> Mann, Bradley wrote: >>> I still haven't found a solution to this seemingly simple problem. > Any >>> ideas on how to redirect port 80 to another port on the same machine >>> using ipnat are greatly appreciated. >>> >>> Thanks, >>> >>> Brad Mann >>> Software Engineer - Information Access Services >>> HARRIS Corporation / GCSD >>> (321) 984-6292 >>> >>> -----Original Message----- >>> From: [EMAIL PROTECTED] >>> [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Spenner >>> Sent: Monday, August 07, 2006 1:45 PM >>> To: [email protected] >>> Subject: Re: Easy port forwarding question >>> >>> Jim: >>> Was there more to this thread? >>> I'm trying to accomplish something similar but >>> having no luck. Assume there is NO ipf.conf for >>> simplicity. >>> Also, does the machine need to be routing for a port >>> redirect to a port on the same system? >>> >>> My example: I have a tcp server listening on port >>> 19000. I wish to 'copy' that to port to 12321, such >>> that anyone connecting to 12321 will get the same data >>> as if connecting to 19000. tcp/19000 is not bound to >>> any particular interface, so 127.0.0.1:19000 and >>> 10.0.0.6:19000 both are valid. >>> >>> I've tried variations on: >>> >>> rdr eri1 10.0.0.6/32 port 12321 -> 10.0.0.6 port 19000 >>> or >>> rdr eri1 0.0.0.0/0 port 12321 -> 10.0.0.6 port 19000 >>> >>> I was a bit confused by the example/problem below. It >>> seems the source/destination is backwards, or perhaps >>> my order is backwards? I've tried swapping just in >>> case, but had no luck. >>> >>> Any help would be great. >>> >>> Thanks! >>> >>> >>> >>> --- Jim Sandoz <[EMAIL PROTECTED]> wrote: >>> >>>> brad, >>>> ok, someplace to start -- at the beginning. >>>> >>>> (1) >>>> on the ipf machine, what happens when you >>>> $ telnet 127.0.0.1 8080 ? >>>> >>>> (2) >>>> as root, what is the output of >>>> # ipnat -slv ; ipfstat -v ? >>>> >>>> (3) >>>> as root, type this in your >>>> xterm/console/ssh/whatever session: >>>> # snoop -Vr -d bge0 port 80 or port 8080 >>>> now initiate a browser connection from the remote >>>> machine; >>>> record the snoop output for us. >>>> >>>> now repeat step (2). >>>> >>>> jim >>>> >>>> >>>> Mann, Bradley wrote: >>>> >>>>> Thanks for the help, >>>>> >>>>> My ipf.conf file is blank. (Comments only) >>>>> >>>>> ipnat.conf has a single line: >>>>> rdr bge0 0.0.0.0/0 port 80 -> 127.0.0.1 port 8080 >>>>> >>>>> ifconfig -a outputs the following: >>>>> lo0: >>> flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> >>>> mtu >>>>> 8232 index 1 >>>>> inet 127.0.0.1 netmask ff000000 >>>>> bge0: >>>> flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> >>>> mtu 1500 index >>>>> 2 >>>>> inet 158.147.51.44 netmask ffffff00 >>>> broadcast 158.147.51.255 >>>>> ether 0:3:ba:f2:e1:a4 >>>>> >>>>> Brad Mann >>>>> Software Engineer - Information Access Services >>>>> HARRIS Corporation / GCSD >>>>> (321) 984-6292 >>> __________________________________________________ >>> Do You Yahoo!? >>> Tired of spam? Yahoo! Mail has the best spam protection around >>> http://mail.yahoo.com >>> >> > > -- Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758 Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033 Nielsen's First Law of Computer Manuals: People don't read documentation voluntarily.
