Re: [LARTC] PAT HOW to - IPTABLES
On 12/10/07 04:20, Indunil Jayasooriya wrote: @ DMZ ZONE I have 3 web servers. But I have only one real ip on my firewall. Now , I want to forward port 80 to theese 3 web servers. How can I do it? Like someone else suggested, run a reverse proxy on one system. You could either run it on the firewall or a fourth system in the DMZ so that you are not running it on the firewall. Use this reverse proxy to intelligently redirect queries that come in to it to the correct back end server. In short, you are forwarding HTTP traffic to an application layer gateway that is intelligent enough to pick the proper back end system to handle the requests. For SMTP, you would use something like Sendmail with Mailertable. With regards to others comments about the single IP and not being able to communicate with the internal servers, you can use private IP addresses in your DMZ with out a problem so long as they are all hidden from the world by your NATing router such that everyone would think that all your services are coming off of your one single external IP. You will need to pay attention to SMTP Hello names as well. Also be aware that you are having a lot depend on connection tracking on the NATing router, thus have a finite number of resources that are being shared by multiple systems. If it is still in place you may want to consider running stateless nat (IPRoute2) for your traffic coming in to said systems so that that traffic will not exceed conntrack. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] PAT HOW to - IPTABLES
On Tue, Dec 11, 2007 at 12:19:22AM +0100, Radek 'Goblin' Pieczonka wrote: > >>> Suppose, I have 3 mail servers @ DMZ zone with one real ip. the situation >>> as before? >>> >>> in that case, What can I do? >>> >> your could use exim/postfix and route the mail to the right server, but I >> guess you are trying to find out how to have port 25 on the real ip nat'ed >> to one of the 3 dmz'ed ip based upon the destination mail address >> >> short answer you can't as far as I know, iptables only looks at src ip / >> src port & dest ip/dest port. You could write your own plugin module to >> look into the tcp stream. >> > > based upon destination email address/domain could be done by postfix and > transports for selected mail/domain to selected server. but there is also a > possibility of load balancing and failover for set of domains with all > servers working with all the domains for HA and flexibility of computing > power, then id say take a look at keepalived for both those features. for > http traffic its actually the same, and also you can consider apache > reverse proxy feature. he only has 1 real ip [silly idea] of course could be really tricky and use an ipv6 to ipv4 address and name all the dmz servers with ipv6 (in dns as well), really relying upon clients to be ipv6 enable [/silly idea] > > -- > Radek aka Goblin > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc