On Tue Apr 11 2000 at 14:30, Simon Gendreau wrote:
> Content-type: text/html; charset=us-ascii
> Content-transfer-encoding: 7BIT
No, please turn this crap off in your nt mailer. html is for web pages,
not email. Why m$ has done this by default amazes me, and they have a
lot to answer for by doing it non-standard like this. (Heh, at least
it isn't also quoted-UNprintable as well :)
> After having successfuly configured my firewall box (RH6.2 - PPPoE +
> Pmfirewall), I am looking at installing a second machine which will
> serve as my HTTP server. This machine would be connected on the hub as
> follow
>
> * INET
> ---(myconnection)--->--->----[PC-RH6.2=PPPoE+FIREWALL]-------->HUB
>
> HUB-:
> * PC=My Win98 Box
> * PC=Future HTTP server(????)
>
> I have not yet figured out how to configure this because I do not
> understand how to make this future machine "pingable" by the outside
> world ...........
>
> Any hints would be greatly appreciated .....
I hope here that I've understood your problem... you don't specify
what sort of IP addressing you are using, nor say exactly what the
firewall is doing.
If the web server is completely blocked by the firewall, with a bit of
trickery it is still possible to do what you want done, and in more
than one way. You don't need to run the actual web server on the
firewall box to do it.
Probably the easiest way to do it is to configure your server box with
a squid server, running in transparent proxy mode, acting as a
(transparent) proxy for your web server.
Use ipchains to redirect all port 80 requests to your transparent
proxy port on the router. It, in turn, drags your web pages off your
real web server behind the firewall. Take care... this needs to work
in with the other ipchains rules that you have in place for your
firewalling. To do the port redirect, you need something like this:
ipchains -A input -i eth0 --dport 80 -p tcp -j REDIRECT 8080
where your squid proxy/accelerator is listening on port 8080 on the
firewall.
It's that easy. And it works like magic. (Well, perhaps not that
easy... it'll need some tweaking to get it all working together).
There is another possible way to do it -- untested by me but I'm about
to start playing with this to avoid the overhead of installing and
running transparent proxy servers on our linux routers. You'll need
to recompile the kernel on the firewall box to enable all the advanced
routing stuff - the default rh distribution kernel doesn't have it all
enabled. (However, no need to optimise it as a router unless it is a
dedicated router). Then you'll need to install /sbin/ip from the
iproute package, and read the docs in /usr/doc/iproute*/* -- it will
blow you out what the kernel can now do with its routing!
After this, things get way cool... you can create multiple routing
tables (up to 256), and set up one of these as a default route to your
real internal web server. Then set up an ipchains to "fwmark" any
incoming port 80 packets, and use the "ip rule" facility to create a
rule to use this particular routing table for routing any fwmark'ed
packets. You might also need to put in some things to allow reply
packets out in a sane way. The commands go something like this:
ipchains -A input -i eth0 -m 0xfa -p tcp --dport 80
ip route add default via 172.16.16.15 table 200
ip rule add fwmark 0xfa table 200
Here I'm using table number 200 and marking incoming port 80 packets
on eth0 with a "tag" value of 0xfa. The default route for all
fwmark'ed packets is now via table 200 to the 172.16.16.15 box (on
your private network) where your web server is located.
That is awesome... very powerful. You can do all sorts of things with
this. The kernel can also check/reset TOS fields etc, and route
according to that and other information in the tcp/ip header.
Note that routing tables are NOT the same thing as routing policy (ie,
routing *rules*). See the docs for iproute and the advanced
networking HOWTOs (somewhere on the net) for more information. BTW,
/sbin/ip is how you manage ipv6, and it will eventually replace the
ifconfig and route commands. Also have a look at /sbin/tc (traffic
control utility) - more magic to be found there.
Same deal for pings... you'll have to set it up to make it all work as
you want.
You might need to do some extra masquerading tweaking and trickery to
make packets coming from the web server to be masqueraded as appearing
to come from the firewall box as they go back out to the internet...
for all the internet knows, the firewall _is_ your web server (even
though it isn't at all :)
The point is that the URL for your web server should point to the
*firewall*, not to the web server box behind it -- which, I assume is
completely inaccessable by the firewall or from being in private IP
address space. If it does have a public IP address, then all you
really need to do is to open up the necessary ports on the firewall to
let the packets through.
Cheers
Tony
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
Tony Nugent <[EMAIL PROTECTED]> Systems Administrator, RHCE
GrowZone OnLine (a project of) GrowZone Development Network
POBox 475 Toowoomba Oueensland Australia 4350 Ph: 07 4637 8322
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
