Port forwarding to an external server

Hi,

I have two Linux servers connected to the internet. Both of them have
static external IP addresses. I'm looking for a way to set up the servers,
so that port 80 of Server A will be forwarded (or routed) to Server B. I'm
doing this because I want to retire the web server on Server A but would
like keep existing services (such as pop3, smtp, etc) on Server A. Both
machines have shorewall. I have tried adding "DNAT all net:xx.yy.zz.aa:80
tcp 80" to the rules file. However, this doesn't work. I think it is
because Server B's gateway doesn't point to Server A. I'm not an expert in
networking in general. So I might be doing something wrong. Anyone has a
solution to this?

Thanks in advance,

Opt.

On Thu, 07 Jul 2005 21:45:57 GMT, "Optima" <(E-Mail Removed)>
wrote:

> I'm looking for a way to set up the servers,
>so that port 80 of Server A will be forwarded (or routed) to Server B.

Not sure if this is what you what, but Apache has a forwarding
mechanism. I can't remember anything else about it though. Have a
look at their doco.

> I think it is
>because Server B's gateway doesn't point to Server A.

Not quite sure what you mean.

Are Server A and Server B on the same local network, or are they in
different locations? Need to know a bit more about your network
configuration.

Dan

Optima wrote:
> Hi,
>
> I have two Linux servers connected to the internet. Both of them have
> static external IP addresses. I'm looking for a way to set up the servers,
> so that port 80 of Server A will be forwarded (or routed) to Server B. I'm
> doing this because I want to retire the web server on Server A but would
> like keep existing services (such as pop3, smtp, etc) on Server A. Both
> machines have shorewall. I have tried adding "DNAT all net:xx.yy.zz.aa:80
> tcp 80" to the rules file. However, this doesn't work. I think it is
> because Server B's gateway doesn't point to Server A. I'm not an expert in
> networking in general. So I might be doing something wrong. Anyone has a
> solution to this?
>
> Thanks in advance,
>
> Opt.
>
>

check out iptables. You need a route from A to B.

iptables -A PREROUTING -t nat -p tcp -d a.a.a.a --dport 80 -j DNAT --to
b.b.b.b:80
iptables -A OUTPUT -t nat -p tcp -d a.a.a.a --dport 80 -j DNAT --to
b.b.b.b:80

Eric

I forgot to mention that the forwarding is working if I use the browser on
server A. However, browsing from any other machine don't work included on
server B. I've tried different options with iptable but without luck.

Here's the server's iptable -L output:
================================================== =========
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
eth0_in all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:INPUT:REJECT:'
reject all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
eth0_fwd all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
fw2net all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:OUTPUT:REJECT:'
reject all -- anywhere anywhere

Chain all2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere

Chain common (5 references)
target prot opt source destination
icmpdef icmp -- anywhere anywhere
DROP tcp -- anywhere anywhere state INVALID
REJECT udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp
dpt:microsoft-ds reject-with icmp-port-unreachable
reject tcp -- anywhere anywhere tcp dpt:epmap
DROP udp -- anywhere anywhere udp dpt:ssdp
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
reject tcp -- anywhere anywhere tcp dpt:ident
DROP all -- anywhere x.y.z.247

Chain dynamic (2 references)
target prot opt source destination

Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
net2net all -- anywhere anywhere

Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
net2fw all -- anywhere anywhere

Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere b.b.b.b state NEW tcp dpt:http
ACCEPT all -- anywhere anywhere

Chain icmpdef (1 references)
target prot opt source destination

Chain net2all (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:net2allROP:'
DROP all -- anywhere anywhere

Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
ACCEPT udp -- anywhere anywhere state NEW udp
dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ftp-data
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp
dptop2
ACCEPT tcp -- anywhere anywhere state NEW tcp
dptop3
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp
dptop3s
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:irdmi
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:8180
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:8899
net2all all -- anywhere anywhere

Chain net2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere b.b.b.b state NEW tcp dpt:http
net2all all -- anywhere anywhere

Chain newnotsyn (5 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain reject (6 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable

Chain shorewall (0 references)
target prot opt source destination
================================================== ==========

I've also tried shorewall show nat. Look at the packet count in the first
column. It actually forward the packets.

================================================== ==========================
==================

#shorewall show nat

Shorewall-1.3.14 NAT at a.a.a.a - Fri Jul 8 12:44:37 PDT 2005

Counters reset Fri Jul 8 12:39:03 PDT 2005

Chain PREROUTING (policy ACCEPT 6673 packets, 628K bytes)
pkts bytes target prot opt in out source
destination
16 889 net_dnat all -- eth0 * 0.0.0.0/0
0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 6626 packets, 486K bytes)
pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 6542 packets, 482K bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 to:b.b.b.b:80

Chain net_dnat (1 references)
pkts bytes target prot opt in out source
destination
1 48 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 to:b.b.b.b:80

================================================== ==========

Thanks in advance again if anyone has any clue.

Opt.


"Eric Teuber" <(E-Mail Removed)> wrote in message
news:dambf7$imj$(E-Mail Removed)...

>
> check out iptables. You need a route from A to B.
>
> iptables -A PREROUTING -t nat -p tcp -d a.a.a.a --dport 80 -j DNAT --to
> b.b.b.b:80
> iptables -A OUTPUT -t nat -p tcp -d a.a.a.a --dport 80 -j DNAT --to
> b.b.b.b:80
>
> Eric

Optima wrote:
> I forgot to mention that the forwarding is working if I use the browser on
> server A. However, browsing from any other machine don't work included on
> server B. I've tried different options with iptable but without luck.
>
> Here's the server's iptable -L output:
> ================================================== =========
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
[snip]

Your `iptables -L` output does not help us to analyze your problem, cuz
of your custom tables! If you're using iptables already, please provide
more information how it is setup.

if i understood right, you want to port-forward incoming traffic to box
A port 80 to box B port 80, right?

So, you say that you cannot access your B box except from your A box,
right? If that is true, your forwarding or routing is messed up.

If you want us to help you, plz provide the desired information about
routing and forwarding in box A.

Eric

Eric Teuber wrote:
> Optima wrote:
>
>>I forgot to mention that the forwarding is working if I use the browser on
>>server A. However, browsing from any other machine don't work included on
>>server B. I've tried different options with iptable but without luck.
>>
>>Here's the server's iptable -L output:
>>================================================ ===========
>>Chain INPUT (policy DROP)
>>target prot opt source destination
>>ACCEPT all -- anywhere anywhere
>
> [snip]
>
> Your `iptables -L` output does not help us to analyze your problem, cuz
> of your custom tables! If you're using iptables already, please provide
> more information how it is setup.
>
> if i understood right, you want to port-forward incoming traffic to box
> A port 80 to box B port 80, right?
>
> So, you say that you cannot access your B box except from your A box,
> right? If that is true, your forwarding or routing is messed up.
>
> If you want us to help you, plz provide the desired information about
> routing and forwarding in box A.
>
> Eric

Another short hint...

If you want to test port forwarding to your B box w/o any rules you have
already set up. Maybe you have a maintenance window sometime.

iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F FORWARD
iptables -F INPUT

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A PREROUTING -t nat -p tcp -d a.a.a.a --dport 80 -j DNAT --to
b.b.b.b:80
iptables -A OUTPUT -t nat -p tcp -d a.a.a.a --dport 80 -j DNAT --to
b.b.b.b:80
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

Eric