Re: [leaf-user] Bering-uClibc 2.2.1 IP Alias Configuration Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Harrison wrote: I've run my firewall with this software for several years. Recently changed ISP and in the confusion something went wrong that I can't figure out. The firewall is supposed to send web browser requests and ssh requests to a computer on the local net. The Apache server is configured using virtualhost to provide results based on one of several domain name all of which resolve to the same ip address 173.x.x.180. However, the virtualhost configuration is only read if a wild card is given for the ip address or the computer's local ip address (192.168.1.120)! Other sites which should be served based on their IP address alone are not seen at all. It seems to me that the HTTP request is being rewritten to contain the local destination (192.168.1.120) rather than the originating address (173.x.x.180). Configuration information is given below. I'd appreciate any advice on how to proceed. Based on your rules, it looks like you have assigned all of the IP addresses to your firewall, and are port-forwarding the desired traffic to the internal system(s). This should work, but you did not include any real details on your port-forwarding setup (/etc/shorewall/rules) or how your apache is configured. Note that when the traffic is port-forwarded from the various IP addresses on the firewall, the destination address *WILL* get re-written. If you want to use IP based virtual hosting, you will need to assign multiple IP addresses on the internal system, and port-forward each public IP on the firewall to an appropriate IP address on the internal system. Otherwise, apache will have no idea which IP address the original request was sent to. If you don't want to use IP addresses, you could do a similar thing with ports on the internal apache system, forwarding each external public IP to a unique port number on the internal system. - -- Charles Steinkuehler char...@steinkuehler.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFK8y+oLywbqEHdNFwRAkPbAJ9kUA56uRlrJ8KfwVxTJi219I1iAwCeN04y KH+zxJbCyvxlkRDB/TQUpmk= =hxLP -END PGP SIGNATURE- -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Bering-uClibc 2.2.1 IP Alias Configuration Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Harrison wrote: Thanks for the quick reply but I'm not sure I understand. Here is the Shorewall rules file: # # Shorewall version 2.0 - Rules File # /etc/shorewall/rules # Accept all http and ssh connections to anneMC DNAT net loc:192.168.1.120 tcp http,https,ssh - 173.x.x.178 DNAT net loc:192.168.1.120 tcp http,https,ssh - 173.x.x.179 DNAT net loc:192.168.1.120 tcp http,https,ssh - 173.x.x.180 DNAT net loc:192.168.1.120 tcp http,https,ssh - 173.x.x.181 DNAT net loc:192.168.1.120 tcp http,https,ssh - 173.x.x.182 snip I thought the purpose of the Original Destination in the DNAT rule was to pass the IP address used to access the website. Could you tell me what is wrong with this (rules) setup? You are routing traffic from all of your original destinations to the same final destination. Since they all point to the same internal IP address, apache on your internal system has no way to tell which IP they were originally sent to on the firewall. You need to change the internal IP address on each rule, and add more IPs to your internal apache box, something like: DNAT net loc:192.168.1.120 tcp http,https,ssh - 173.x.x.178 DNAT net loc:192.168.1.121 tcp http,https,ssh - 173.x.x.179 DNAT net loc:192.168.1.122 tcp http,https,ssh - 173.x.x.180 DNAT net loc:192.168.1.123 tcp http,https,ssh - 173.x.x.181 DNAT net loc:192.168.1.124 tcp http,https,ssh - 173.x.x.182 ...then you can use the unique internal IP addresses in your apache configuration to do IP based virtual hosting. - -- Charles Steinkuehler char...@steinkuehler.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFK80tSLywbqEHdNFwRAoGbAJ44lSk21d5KcCO/2U2eLMXBvVz5PwCfT+6o L9juZ80HsqwQoQ9gN+3mUog= =nEGp -END PGP SIGNATURE- -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Bering-uClibc 2.2.1 IP Alias Configuration Question
Hi Robert Harrison wrote: I've run my firewall with this software for several years. Recently changed ISP and in the confusion something went wrong that I can't figure out. The firewall is supposed to send web browser requests and ssh requests to a computer on the local net. The Apache server is configured using virtualhost to provide results based on one of several domain name all of which resolve to the same ip address 173.x.x.180. However, the virtualhost configuration is only read if a wild card is given for the ip address or the computer's local ip address (192.168.1.120)! Other sites which should be served based on their IP address alone are not seen at all. It seems to me that the HTTP request is being rewritten to contain the local destination (192.168.1.120) rather than the originating address (173.x.x.180). Configuration information is given below. I'd appreciate any advice on how to proceed. Maybe proxy-arp will help, this would mimic the desired behaviour, but then you will have to assign the public addresses to the server on the internal network. See http://www.shorewall.net/ProxyARP.htm cheers Erich -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/