First make sure your web server is write configed.
>Hi all,
>
>If I were any dumber, scientists would want to examine by brain.
>
>Please view this message in a fixed-width font, so you can see the ASCII
>art. Box C is a client machine. Box F is the firewall, and Box W is the
>web server.
>
>
> C
> +--------------+
> |--|141.140.200.5 |
> | +--------------+
> |
> |
> | F
> | +--------------+
> |--|141.140.200.20| W
> + + +--------------+
> |141.140.1.10 |------|141.140.1.18 |
> +--------------+ +--------------+
>
>
>
>Goal: No matter what HTTP URL the client C types, his web browser ends up
>at Box W. I had this working at one point, months ago, and have lost my
>notes. I am now too dumb to get it going again. Strangely, I don't
>remember this as having been too difficult.
>
>SysInfo: Firewall is RH 7.2 with kernel 2.4.17. IPTABLES is v1.2.5,
>installed from the source, then the kernel recompiled.
>
>Current setup:
>[root@dormsfw root]# iptables -L
>Chain INPUT (policy ACCEPT)
>target prot opt source destination
>
>Chain FORWARD (policy DROP)
>target prot opt source destination
>ACCEPT udp -- anywhere anywhere udp dpt:domain
>ACCEPT tcp -- anywhere anywhere tcp dpt:domain
>ACCEPT tcp -- 141.140.200.5 anywhere tcp spt:ssh
>ACCEPT tcp -- 141.140.200.5 anywhere tcp dpt:ssh
>
>Chain OUTPUT (policy ACCEPT)
>target prot opt source destination
>[root@dormsfw root]#
>
>That allows DNS and ssh traffic only, and works. So far so good. Now I
>try adding the HTTP URL redirect stuff:
>
>[root@dormsfw root]# iptables -L --line-numbers -t nat
>Chain PREROUTING (policy ACCEPT)
>num target prot opt source destination
>1 DNAT tcp -- 141.140.200.5 anywhere tcp
>dpt:http to:141.140.1.18
>2 DNAT udp -- 141.140.200.5 anywhere udp
>dpt:http to:141.140.1.18
>
>Chain POSTROUTING (policy ACCEPT)
>num target prot opt source destination
>
>Chain OUTPUT (policy ACCEPT)
>num target prot opt source destination
>[root@dormsfw root]#
>
>And lastly I add a forward rule so the DNATted stuff can go through:
>[root@dormsfw root]# iptables -L
>Chain INPUT (policy ACCEPT)
>target prot opt source destination
>
>Chain FORWARD (policy DROP)
>target prot opt source destination
>ACCEPT udp -- anywhere anywhere udp dpt:domain
>ACCEPT tcp -- anywhere anywhere tcp dpt:domain
>ACCEPT tcp -- 141.140.200.5 anywhere tcp spt:ssh
>ACCEPT tcp -- 141.140.200.5 anywhere tcp dpt:ssh
>ACCEPT tcp -- 141.140.200.5 anywhere tcp dpt:http
>ACCEPT udp -- 141.140.200.5 anywhere udp dpt:http
>
>Chain OUTPUT (policy ACCEPT)
>target prot opt source destination
>[root@dormsfw root]#
>
>But this doesn't work. Any attempts to access 141.140.1.18:80 work, and
>any attempts to access any other site:80 just hang.
>
>Help! I just don't see what I am missing. It looks like this ought to
>rewrite the destination address & forward the packet. Why doesn't it?
>
>Thanks in advance,
>Ted Fines
= = = = = = = = = = = = = = = = = = = =
��
��
auther_bin
[EMAIL PROTECTED]
2002-02-28
