> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of alan barrow
> Sent: Thursday, May 09, 2002 8:29 PM
> To: [EMAIL PROTECTED]
> Subject: a discussion starter i hope.
>
>
> I have been using iptables-netfilter for a while and wish to clarify in
> my mind for once how to do the following.
>
> Scenario: An iptables firewall has 2 interfaces, which are a public and
> a private interface, for simpilicty's sake. Behind the firewall a
> service runs which needs to be visible to the world at large in this
> case let's start with an easy one http, on port 80.
>
> No problems so far :)
>
> Now behind the firewall are 2 separate servers, each running a web
> service and each running on port 80.
>
> 1) The question is, with only 1 real world address available to you,
> what suggestions do you guy's have as to the configuration required to
> make both web servers available on the Internet ? So that incoming port
> 80 request on the firewall public interface go to the correct server.
>
This is impossible with only iptables/netfilter. You can, however, use
iptables/netfilter to send these connections to a proxy (such as squid) that
can use the host header names to distinguish between the servers and forward
the connections on to the right place.
> 2) The same as scenario 1) except you have 2 addresses available but
> only one external NIC.
this is much easier. bind both addresses to the external nic (or some other
method to get the firewall to respond to arp requests for them), then nat
based on destination ip.
>
> 3) Same as 2) except you have 2 NIC's.
This is *almost* identical to 2, but you have the option of binding one
address to each nic. Six of one, half dozen of the other.
>
> The reason for this is the following is that, i wish to understand if
> there is a path to this result. I realise there are probably many way's
> to skin this cat, and i have tried a few of them, some of you may
> already be doing this, but in my experience there seem to be a lot of
> pitfall's and consequently the issues i have faced seem to suggest the
> following:
>
> Some think it's possible, Some don't, some wish it was possible, many
> just say this way, others suggest that way, many just give up.
>
> All in all i would like to take this to the logical conclusion of
> getting it working in multiple scenarios securely and effectively.
>
> yours a.r.b.
>
>
>
>
>
