Re: Re: Port forwarding
YesI got it working by binding orion to host="[ALL]" and port="10080" and executing the following two: echo "1" > /proc/sys/net/ipv4/ip_forward ipchains -I input 1 -d MYIP 80 -p tcp -j REDIRECT 10080 It is odd that i had to do thatI originally was going to bind all instance of orion to different IPs but all on port 10080.but because this solution works effectively I will have each instance bind to a different port and [All]ipchains then redirects to appropriate server through above command...I will be talking to redhat about this, if I find out more I'll let you knowAlthough this solution appears effective and I will probably not look into anymore unless dealing with the new 2.4 kernel that has different firewall/portfw features (Net Filters).
Re: Re: Port forwarding
ACK I meant host="[ALL]" not port=[ALL] !!! Very tired from skiboarding all day... On Wed, 24 Jan 2001 [EMAIL PROTECTED] wrote: > I'm not quite sure what you are saying, but we are getting > somewhere...I got orion to bind to port 10080...I have it in 2 places > default-web-site.xml and mysite.xml. both with hardcoded IP and port. > It is responding as that ip/port and not conflicting with other apache > and orion. I've never heard of port="[ALL]".sounds pretty scary > to me. it binds to all ports? What do you have in default vs. your > virtual hosts? > my bad, sorry. It's the "hardcoded ip" that is causing your grief (if your setup looks anything like mine). try host="[ALL]" and port="10080" the frontend and virtual host stuff is only required for redirects and something else which escapes me. Trevor
Re: Re: Port forwarding
>I have it running on a 4ip host where each interface (ip) is a >different web site which is what I think you want to do right? Currently I have a 4ip hostfor argument sake: IP 1 - apache bound to port 80 IP 2&3 - orion bound to port 80 (unfortunately as root...why I'm trying all this)...up and doing BUSINESS IP 4 - orion bound to 10080...it is responding to http://ip:10080 and local 'telnet IP#4 10080' (i wanted this just for now, I will add more security when I get working) >The problem I ran into is that if I configured each site to only >listen on the >relevant interface (port= in web-site tag) it didn't >work. I had to say port="[ALL]". So I gave each site (interface) a >different port > 1024 and did the ipchains for each, just as you >have done. I'm not quite sure what you are saying, but we are getting somewhere...I got orion to bind to port 10080...I have it in 2 places default-web-site.xml and mysite.xml. both with hardcoded IP and port. It is responding as that ip/port and not conflicting with other apache and orion. I've never heard of port="[ALL]".sounds pretty scary to me. it binds to all ports? What do you have in default vs. your virtual hosts? >I also hadded a virutal-hosts entry and a frontend tag in the web >site xml for each site - both were important but I can't remember >what failed if you didn't include them. I have been frustrated with this for almost a monthI actually signed a contract with RedHat for server supportIf orion is responding to port 10080...I would think orion's part should be done.what do you think? I will let you know what Red Hat comes up with...and see if this so called services model is any good. I think the new kernel has better built in port forwarding...it would be a lot easier it seems if the firewall and server were on seperate machinesipchains/ip-masq were not built for local redirection..there are some hacks I can do, but I don't want to use software on my server that is installed on less than 1000 servers in the whole universe David On Mon, 22 Jan 2001, David Morton wrote: > > Has anybody gotten port-forwarding to work? I want orion to run > as non-root user on Linux.I did see: > http://www.orionsupport.com/articles/unixprocess.html > > The following is an excerpt: > IP Chains (ipfw) > IP Chains is a program that comes with recent versions of Linux that uses > the ipfw library to specify rules for TCP/IP packets. For information about > using it, refer to the howto. > Here's a simple rule to tell all incoming TCP packets destined for port 80 > to be forwarded to port 10080: > [root@myhost]$ ipchains -A input --destination-port 80 -p tcp -j REDIRECT 10080 > Warning: Use ipchains at own risk... You are recommended to read the > documentation first, and have the machine in easy reach. > This command needs to be executed each time the system is booted, so you > may want to place it in a startup file somewhere. > > I tried ipchains rule with one change: > ipchains -A input -d 192.168.0.4 80 -p tcp -j REDIRECT 10080 > > it didn't work. > > any suggestions? > > If anyone has working on one ip only (on a machine that has multiple ips > like mine)...please send output of 'ipchains -L'...and any other ipmasqadm > table output... > > Thanks > David > >
Re: Port forwarding
Hey David, I have it running on a 4ip host where each interface (ip) is a different web site which is what I think you want to do right? If that's the case then I did exactly the same thing as you wrt the ipchains command. The problem I ran into is that if I configured each site to only listen on the relevant interface (port= in web-site tag) it didn't work. I had to say port="[ALL]". So I gave each site (interface) a different port > 1024 and did the ipchains for each, just as you have done. I also hadded a virutal-hosts entry and a frontend tag in the web-site xml for each site - both were important but I can't remember what failed if you didn't include them. Finally I used ipchains to refuse direct connnections to the ports > 1024 that the sites were really using - just being picky I guess. I hope that helps. Trevor On Mon, 22 Jan 2001, David Morton wrote: > > Has anybody gotten port-forwarding to work? I want orion to run > as non-root user on Linux.I did see: > http://www.orionsupport.com/articles/unixprocess.html > > The following is an excerpt: > IP Chains (ipfw) > IP Chains is a program that comes with recent versions of Linux that uses > the ipfw library to specify rules for TCP/IP packets. For information about > using it, refer to the howto. > Here's a simple rule to tell all incoming TCP packets destined for port 80 > to be forwarded to port 10080: > [root@myhost]$ ipchains -A input --destination-port 80 -p tcp -j REDIRECT 10080 > Warning: Use ipchains at own risk... You are recommended to read the > documentation first, and have the machine in easy reach. > This command needs to be executed each time the system is booted, so you > may want to place it in a startup file somewhere. > > I tried ipchains rule with one change: > ipchains -A input -d 192.168.0.4 80 -p tcp -j REDIRECT 10080 > > it didn't work. > > any suggestions? > > If anyone has working on one ip only (on a machine that has multiple ips > like mine)...please send output of 'ipchains -L'...and any other ipmasqadm > table output... > > Thanks > David > >
Re: Port forwarding
At 11:15 AM 1/22/2001 -0500, you wrote: > Has anybody gotten port-forwarding to work? I want orion to run > as non-root user on Linux.I did see: >http://www.orionsupport.com/articles/unixprocess.html Works here. There are two separate pieces: the forwarding and Orion. Make sure each works separately if they don't work together for you. Replace Orion with Apache to test forwarding, for example.
Re: Port forwarding
You should use the port forwading module with ipmasqadm instead : ipmasqadm portfw -a -P tcp -L your_ip 80 -R your_ip 10080 type: ipmasqadm portfw for the complete usage. IMHO, to seperate forwarding stuff and firewall rules using ipchains and portfw is better. - Original Message - From: "David Morton" <[EMAIL PROTECTED]> To: "Orion-Interest" <[EMAIL PROTECTED]> Sent: Monday, January 22, 2001 5:15 PM Subject: Port forwarding > > Has anybody gotten port-forwarding to work? I want orion to run > as non-root user on Linux.I did see: > http://www.orionsupport.com/articles/unixprocess.html > > The following is an excerpt: > IP Chains (ipfw) > IP Chains is a program that comes with recent versions of Linux that uses > the ipfw library to specify rules for TCP/IP packets. For information about > using it, refer to the howto. > Here's a simple rule to tell all incoming TCP packets destined for port 80 > to be forwarded to port 10080: > [root@myhost]$ ipchains -A input --destination-port 80 -p tcp -j REDIRECT 10080 > Warning: Use ipchains at own risk... You are recommended to read the > documentation first, and have the machine in easy reach. > This command needs to be executed each time the system is booted, so you > may want to place it in a startup file somewhere. > > I tried ipchains rule with one change: > ipchains -A input -d 192.168.0.4 80 -p tcp -j REDIRECT 10080 > > it didn't work. > > any suggestions? > > If anyone has working on one ip only (on a machine that has multiple ips > like mine)...please send output of 'ipchains -L'...and any other ipmasqadm > table output... > > Thanks > David > >