You wrote: > First make sure your web server is write configed. What do you mean? That the web server, apart from any of this iptables stuff, is just plaing working? If so, I'm certain it is. If you meant something else, please clarify.
Thanks, Ted --On Thursday, February 28, 2002 7:27 PM +0800 auther_bin <[EMAIL PROTECTED]> wrote: > First make sure your web server is write configed. > >> Hi all, >> >> If I were any dumber, scientists would want to examine by brain. >> >> Please view this message in a fixed-width font, so you can see the ASCII >> art. Box C is a client machine. Box F is the firewall, and Box W is >> the web server. >> >> >> C >> +--------------+ >> |--|141.140.200.5 | >> | +--------------+ >> | >> | >> | F >> | +--------------+ >> |--|141.140.200.20| W >> + + +--------------+ >> |141.140.1.10 |------|141.140.1.18 | >> +--------------+ +--------------+ >> >> >> >> Goal: No matter what HTTP URL the client C types, his web browser ends >> up at Box W. I had this working at one point, months ago, and have >> lost my notes. I am now too dumb to get it going again. Strangely, I >> don't remember this as having been too difficult. >> >> SysInfo: Firewall is RH 7.2 with kernel 2.4.17. IPTABLES is v1.2.5, >> installed from the source, then the kernel recompiled. >> >> Current setup: >> [root@dormsfw root]# iptables -L >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain FORWARD (policy DROP) >> target prot opt source destination >> ACCEPT udp -- anywhere anywhere udp >> dpt:domain ACCEPT tcp -- anywhere anywhere >> tcp dpt:domain ACCEPT tcp -- 141.140.200.5 anywhere >> tcp spt:ssh ACCEPT tcp -- 141.140.200.5 anywhere >> tcp dpt:ssh >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> [root@dormsfw root]# >> >> That allows DNS and ssh traffic only, and works. So far so good. Now I >> try adding the HTTP URL redirect stuff: >> >> [root@dormsfw root]# iptables -L --line-numbers -t nat >> Chain PREROUTING (policy ACCEPT) >> num target prot opt source destination >> 1 DNAT tcp -- 141.140.200.5 anywhere tcp >> dpt:http to:141.140.1.18 >> 2 DNAT udp -- 141.140.200.5 anywhere udp >> dpt:http to:141.140.1.18 >> >> Chain POSTROUTING (policy ACCEPT) >> num target prot opt source destination >> >> Chain OUTPUT (policy ACCEPT) >> num target prot opt source destination >> [root@dormsfw root]# >> >> And lastly I add a forward rule so the DNATted stuff can go through: >> [root@dormsfw root]# iptables -L >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain FORWARD (policy DROP) >> target prot opt source destination >> ACCEPT udp -- anywhere anywhere udp >> dpt:domain ACCEPT tcp -- anywhere anywhere >> tcp dpt:domain ACCEPT tcp -- 141.140.200.5 anywhere >> tcp spt:ssh ACCEPT tcp -- 141.140.200.5 anywhere >> tcp dpt:ssh ACCEPT tcp -- 141.140.200.5 anywhere >> tcp dpt:http ACCEPT udp -- 141.140.200.5 anywhere >> udp dpt:http >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> [root@dormsfw root]# >> >> But this doesn't work. Any attempts to access 141.140.1.18:80 work, and >> any attempts to access any other site:80 just hang. >> >> Help! I just don't see what I am missing. It looks like this ought to >> rewrite the destination address & forward the packet. Why doesn't it? >> >> Thanks in advance, >> Ted Fines > > = = = = = = = = = = = = = = = = = = = = > > > �� > �� > > auther_bin > [EMAIL PROTECTED] > 2002-02-28
