-----BEGIN PGP SIGNED MESSAGE-----
Bob Hartung wrote:
>
>5. Ideas and suggestions appreciated. It may be that my
>problem is with the Virtual Server portion of httpd.conf
Bob -
I know it doesn't address your question, but I do recommend that if
you're just getting started, you upgrade to a 2.4 kernel and use
iptables. It's a much better design, and I find it much easier to
work with. You can get info at http://netfilter.kernelnotes.org.
First, your web server doesn't need to know anything about the real
world. It should be internally consistent, using the actual hostname
and IP address of the privately addressed machine on which it's
running.
Now then ... I'll take a stab at this, based on what works for me.
It's important to keep a few things straight in your head (and
iptables makes it easier wrap your brain around it than does
ipchains): filtering, forwarding, and masquerading are different
things, but in your case, all necessary. First set up the filtering,
which decides who gets in or out. THEN decide what to forward where,
after the gatekeeper's done with the packet. And finally, for private
address spaces, set up masquerading.
I'm a little confused by your ipchains rules. Like everything else,
there are probably a gazillion ways to do this, but if you only have
one external real IP in front and a masqueraded private network in
back, I think you'll find it easier to keep track of what's going on
if you keep your filtering on the INPUT chain, since that's the first
thing incoming packets will hit. Something rudimentary like this
should allow the traffic you're interested in:
# Default policies
/sbin/ipchains -P input DENY
/sbin/ipchains -P forward ACCEPT
/sbin/ipchains -P output ACCEPT
# Allow replies from connections we initiated
/sbin/ipchains -A input -i eth1 -p tcp ! -y -j ACCEPT
# Deny illegal external addresses
/sbin/ipchains -A input -i eth1 -s 192.168.0.0/16 -j DENY -l
/sbin/ipchains -A input -i eth1 -s 172.16.0.0/12 -j DENY -l
/sbin/ipchains -A input -i eth1 -s 10.0.0.0/8 -j DENY -l
# Allow web traffic from the outside world, as per your specs
/sbin/ipchains -A input -i eth1 -p tcp --dport 80 -j ACCEPT
# Allow some ICMP packets (such as pings)
/sbin/ipchains -A input -i eth1 -p icmp --dport 0 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p icmp --dport 3 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p icmp --dport 11 -j ACCEPT
# Anything else, drop it and log it.
/sbin/ipchains -A input -j DENY -l
Of course, you're not done yet. You need to configure 80 to forward
from eth1 back to your web server, which I haven't done with
ipmasqadm, so I can't help with your syntax. You also need a rule to
enable masquerading, which I didn't see in your code. That would look
something like this, assuming you're using 192.168.1.x for internal
machines:
/sbin/ipchains -A forward -s 192.168.1.0/16 -j MASQ
And finally, the kernel has to be told to forward:
echo 1 > /proc/sys/net/ipv4/ip_forward
Does any of this help?
- --
David Talkington
http://www.spotnet.org
PGP key: http://www.prairienet.org/~dtalk/dt000823.asc
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.75-6
iQEVAwUBOrUb3L1ZYOtSwT+tAQF8kggAypURpIt+nyxTNwcsuTapj1Jhd96SS3q1
CtWonrysgOaLGpbwYcWSqqWQxXmtF4WwGnzEQRZ3kb0W1NS7Z/P19+VafWdwYnik
vg2VGGUgUoImwMH9DDw+Cz/jhXTh8uqxOPsiU6Whhfdqmjjnam3lgzhcaBvyGl3p
rHLpHJ/F6OA5OfCZxmM+h+Yh0kWSP0CzP5tb6NdX2nNqhnCmMWLZWkEdOKM0Wi9J
Fda7zC2IFZZVUR4p1eTu31wy37MZ4Onnve1AgUh7XRUHsyfHhl+k2IIjpWKYwRit
Jd8Hswrt7pdH+lz0mfjB6/prmlggxcj57r9xtPLqMLrBDJxEmjVS8Q==
=qYjl
-----END PGP SIGNATURE-----
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
