Routing HTTP Traffic to Internal Network

Greetings,

I am trying to configure a web server behind a router/firewall.
Consider the network diagrammed below:

(INTERNET)
|
|
|
(ROUTER – PUBLIC_IP)
|
|
|
------------------
| |
| |
| |
(90.0.0.17) (90.0.0.1)
( Client ) (Web Server)

ROUTER is a RedHat 7.3 system (IPTABLES) with static IP Number
PUBLIC_IP, which is also mapped via DNS as www.foo.com. ROUTER is
configured to perform NAT for the machines on the private subnet
(90.0.0.0/24). ROUTER is also configured to pass HTTP requests from
the net to the local machine 90.0.0.1. Hence, someone on the net
going to http://www.foo.com will hit the web server on 90.0.0.1. This
all works well.

However, I would like to allow all the machines on the local subnet
(e.g., 90.0.0.17) to also access the web server via
http://www.foo.com. Is this possible? If so, should this be
configured via the routing tables, or via iptables, or some other way?
What is the proper configuration?

Many thanks for any help or insight!

Hi -

On 17 Feb 2004 18:28:03 -0800, (E-Mail Removed) (Gomer Pyle)
wrote:

> However, I would like to allow all the machines on the local subnet
>(e.g., 90.0.0.17) to also access the web server via
>http://www.foo.com. Is this possible? If so, should this be
>configured via the routing tables, or via iptables, or some other way?
> What is the proper configuration?

I'm assuming you are already using an iptables rule that includes:
-t nat -p tcp --destination-port 80 -j DNAT --to-destination 90.0.0.1
to direct the HTTP requests from the internet to the server.

You need to either modify this rule or create a new rule that does
this for the LAN interface. BE SURE to specify a destination IP
address that is the public IP address of ROUTER, otherwise ALL web
browsing will go to your server, i.e. include -d 123.123.123.123 where
123.123.123.123 is the public IP address of ROUTER. You will also
need forwarding rules to permit destination port 80 from the LAN to
the server and source port 80 from the server to the LAN.

Personally I use just one rule for the PREROUTING DNAT and don't
specify any interfaces on it.

--
Ken
http://www.ke9nr.net/

Hi -

On 17 Feb 2004 18:28:03 -0800, (E-Mail Removed) (Gomer Pyle)
wrote:

>the private subnet (90.0.0.0/24).

Oops! I meant to include in the other message and forgot ... it is
NOT a good idea to be using that IP range for a private network. Even
though it is currently unassigned, it is highly likely that in the
future public IP addresses will be assigned in that range, at which
point if anyone on your network tries to reach those addresses it will
fail.

I strongly recommend that you use one of the three addresses range
assigned specifically for private networks:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
See RFC 1918 http://www.rfc-editor.org/rfc/rfc1918.txt

--
Ken
http://www.ke9nr.net/

"Gomer Pyle" wrote
> I am trying to configure a web server behind a router/firewall.
> Consider the network diagrammed below:
> (INTERNET)
> |
> (ROUTER - PUBLIC_IP)
> |
> ------------------
> | |
> (90.0.0.17) (90.0.0.1)
> ( Client ) (Web Server)
>
> ROUTER is a RedHat 7.3 system (IPTABLES) with static IP Number
> PUBLIC_IP, which is also mapped via DNS as www.foo.com. ROUTER is
> configured to perform NAT for the machines on the private subnet
> (90.0.0.0/24). ROUTER is also configured to pass HTTP requests from
> the net to the local machine 90.0.0.1. Hence, someone on the net
> going to http://www.foo.com will hit the web server on 90.0.0.1. This
> all works well.
>
> However, I would like to allow all the machines on the local subnet
> (e.g., 90.0.0.17) to also access the web server via
> http://www.foo.com. Is this possible? If so, should this be
> configured via the routing tables, or via iptables, or some other way?

If you stick 90.0.0.1 www.foo.com in the hosts file on
/etc/hosts on a sample client box, like .17, can you then browse
it? If not, you've got Apache config issues on .1 to deal with.

Does sticking that entry in /etc/hosts on the firewall box do what
you need? For that matter, have you made sure it doesn't work
already, before you investigate firewall-based port forwarding
or iptables packet diversion or squid site diversion or caching
dns server hijinx? Sorry to insult, but I had to ask... :-)

"Gomer Pyle" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Greetings,
[snip]
> ROUTER is a RedHat 7.3 system (IPTABLES) with static IP Number
> PUBLIC_IP, which is also mapped via DNS as www.foo.com. ROUTER is
> configured to perform NAT for the machines on the private subnet
> (90.0.0.0/24). ROUTER is also configured to pass HTTP requests from
> the net to the local machine 90.0.0.1. Hence, someone on the net
> going to http://www.foo.com will hit the web server on 90.0.0.1. This
> all works well.
>
> However, I would like to allow all the machines on the local subnet
> (e.g., 90.0.0.17) to also access the web server via
> http://www.foo.com. Is this possible? If so, should this be
> configured via the routing tables, or via iptables, or some other way?
> What is the proper configuration?

Hi,

Try something like the following:

iptables -t nat -A PREROUTING -s 90.0.0.0/24 -d www.foo.com -p tcp --dport
80 -j DNAT --to 90.0.0.1:80
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 90.0.0.0/24 -d
90.0.0.1 --dport 80 -j MASQUERADE

Works for me. You should also look at your address
range for an 'internal' network as these are not RFC
compliant and could be in use by someone.

Cheers,

Dave.