> |Internet > |ww.xx.yy.zz > | > | Production Production > |-----|----| WEB DB > | eth0 | |----------| |-------| > | | 192.168.3.x | |192.168.4.x | | > |-----|eth1 eth2|-------------|eth0 eth1|------------|eth0 | > | .1 |__________|.1 .2 |__________| .1 .2 |_______| > | > | > | > | Development Development > | WEB DB > | |----------| |--------| > | 192.168.1.x | |192.168.2.x | | > |--------------|eth0 eth1|------------|eth0 | > .2 |__________| .1 .2 |________| >
>Secondly, how do I forward port 80 requests from the firewall to the > Production Web box (192.168.3.2)? Do I need httpd running on the firewall > to receive the port 80 requests? Right now it is closed. no, you do not need a listening http port listening on the firewall. IMO, you should not be allowing ANY direct connections from the internet to your firewall, including ssh. only allow connection from within your LAN port forwarding with netfilter from the internet to your web server requires three steps: 1) setting up destination NAT'ing in the nat table's PREROUTING chain, 2) allowing/denying connections in the filter table's FORWARD chain, 3) setting up either source NAT'ing in the nat table's POSTROUTING chain or MASQUERADING in the nat table's POSTROUTING chain, depending on which type of connection you have (static or dynamic respectively) #variables iptables=`which iptables` EXT_IFACE="eth0" DEV_INT_IFACE="eth1" IPADDR="ww.xx.yy.zz" WEB_SVR="192.168.3.2" INTRANET="192.168.0.0/24" HTTP="80" UNPRIV_PORTS="1024:65535" #step 1: $iptables -t nat -A PREROUTING -p tcp -i $EXT_IFACE -d $IPADDR--dport $HTTP -j DNAT --to-destination $WEB_SVR #step 2 #accept new and established inbound http connections $iptables -A FORWARD -p tcp -i $EXT_IFACE -o $DEV_INT_IFACE -s ! $INTRANET -d $WWW_SVR --dport $HTTP --sport $UNPRIV_PORTS -m state --state NEW,ESTABLISHED -j ACCEPT #accept established outbound http connections $iptables -A FORWARD -p tcp -i $DEV_INT_IFACE -o $EXT_IFACE -s $WWW_SVR -d ! $INTRANET --sport $HTTP --dport $UNRPIV_PORTS -m state --state ESTABLISHED -j ACCEPT #step 3 #use the SNAT target if you have a static external ip address $iptables -t nat -A POSTROUTING -s $INTRANET -d ! $INTRANET -o $EXT_IFACE -j SNAT --to-source $IPAADR #use the MASQUERADE target if you have a dynamic external ip address $iptables -t nat -A POSTROUTING -s $INTRANET -d ! $INTRANET -o $EXT_IFACE -j MASQUERADE keep in mind that filtering should take place only in the filter table chains (INPUT, OUTPUT, FORWARD), not in the nat table chains (PREROUTING, POSTROUTING, OUTPUT) cheers -- Get your free email from www.linuxmail.org Powered by Outblaze
