1

I have searched and searched and tried several different things and have not been able to fina solution.

Here's my situation:

node1 has 2 interfaces: eth0 (Public IP: 56.X.X.X), and eth1 (Private IP: 10.X.X.X)

node2 has 2 interfaces: eth0 (Public IP: 56.X.X.X), and eth1 (Private IP: 10.X.X.X)

Each node is running Ubuntu 10.04 LTS

From this setup node1 and node2 each have access to the internet but also connect to each other privately through a LAN.

What I want to accomplish is have node1 be a firewall and proxy server for node2 and many other nodes which I will deploy later. node1 will have the only access to the internet as I will disable eth0 on node2 so that node2 only has access to anything on its private network.

Simply put, how can I forward a www request that comes into node1 and on eth0 and forward it to node2 using eth1 while node2 will act as the webserver for that request?

After following the example below, here is my iptables -L:

Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere 10.182.43.193 state NEW tcp dpt:www ACCEPT tcp -- anywhere 10.182.43.193 state NEW tcp dpt:https ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

Here is my iptables -t nat -L

Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- anywhere firewall to:10.182.43.193 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination
Improve this question

2 Answers 2

Reset to default
1

I'll assign some arbitrary IP addresses to make this clear. Substitute in your real addresses.

node1 eth0: 56.0.0.1 node1 eth1: 10.0.0.1 node2 eth0: 56.0.0.2 node2 eth1: 10.0.0.2

If node1 is to be your gateway/firewall machine, you'll need to run iptables to handle the NAT/forwarding.

# iptables config on node1 # set up a destination nat from 56.0.0.2 to 10.0.0.2 iptables -t nat -A PREROUTING -d 56.0.0.2 -j DNAT --to-destination 10.0.0.2 # open port 80/443 iptables -A INPUT -d 10.0.0.2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT iptables -A INPUT -d 10.0.0.2 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT # related/established traffic iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

You do not need eth0 on node2 to be configured. Rather, you need to configure the 56.0.0.2 IP address on node1 to use it uniquely to map to node2.

Improve this answer
10
  • When I run iptables -A PREROUTING -d 56.0.0.2 -j DNAT --to-destination 10.0.0.2 I get an error: "iptables: No chain/target/match by that name." Any ideas? Commented Jun 18, 2011 at 4:58
  • Sorry, my mistake. I'm copying from my live config which has the table name on a different line for the entire section. You'll need to add -t nat to that line. I'll update above. Commented Jun 18, 2011 at 5:04
  • I tried exactly what you suggested, and applied the iptables and confirmed the application, and now i try to http://{firewall-ip} and it just hangs. Any ideas on this? This seemed to always be the issue no matter what I tried. Commented Jun 18, 2011 at 5:12
  • You need to connect to node2 public IP: 56.0.0.2. First, check that you can connect to node2 private IP from node1. From node1, telnet node2 80. Also, make sure you configure node2 public IP on node1 as I stated above. Commented Jun 18, 2011 at 5:15
  • I'm really new to this, how do I configure node2 public IPon node1? Are you talking about the hosts file? Commented Jun 18, 2011 at 5:19
0

If node2 is supposed to have its own IP address, then you don't need port forwarding, you need proxy ARP and routing.

On node2 disable eth0 and add the public IP to any other interface, eg:

ip addr add 56.0.0.2/32 dev eth1

On node1 set up the route to the node2 via eth1:

ip route add 56.0.0.2 dev eth1

and enable proxy ARP responses on eth0 (so node1 will answer for ARP requests for node2):

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

This will make all traffic to node2 go through node1. You may then set up iptables rules to limit it like any other forwarded traffic. This doesn't do any application-level proxying, but you can still achieve that with iptables rules.

Setting these permanently generally depends on distribution, I don't know Ubuntu well enough, but the 'proxy_arp' setting can probably be set in /etc/sysctl.conf:

net.ipv4.conf.eth0.proxy_arp = 1

Ip address on node2's eth1 should be added to the interface configuration (but without any netmask! or with prefix length '/32'), there should also be a place to put the static routes (/etc/sysconfig/static-routes on my system).

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.