Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Best way to forward traffic to internal web serwer

0 views
Skip to first unread message

Jarek

unread,
Nov 4, 2009, 4:33:42 PM11/4/09
to
Hi all!

I have Linux router with web serwer. This router has three public IPs
and three links to separate providers.
Now I want to setup independent internal web serwer, so I like to
forward ports 80 and 443 to this machine.
I tried to do port forwarding with iptables and iproute, but I can't
find how to direct returning traffic by the same link as incomming.
I guess that it should be done somehow with conntrac, but I have no
idea how to do it.

best regards
J.

Pascal Hambourg

unread,
Nov 4, 2009, 5:03:19 PM11/4/09
to
Hello,

Jarek a ï¿œcrit :


>
> I have Linux router with web serwer. This router has three public IPs
> and three links to separate providers.
> Now I want to setup independent internal web serwer, so I like to
> forward ports 80 and 443 to this machine.
> I tried to do port forwarding with iptables and iproute, but I can't
> find how to direct returning traffic by the same link as incomming.

How did you do when the web server was on the router ? Can't you use the
same method ?

Jarek

unread,
Nov 4, 2009, 5:24:44 PM11/4/09
to
Pascal Hambourg pisze:

Now I have one linux machine working as router and webserver. Router
connectes LAN to internet via 3 independent links, with 3 public IPs.
Now I want to setup DMZ with dedicated webserver. It works if I'm
connecting from internet to IP on which there is default gateway (let
say IP1), but if I'm connecting to IP2, packets are forwarded properly
to webserver, but responding packets are going via IP1.

Jarek

Pascal Hambourg

unread,
Nov 4, 2009, 6:32:46 PM11/4/09
to
Jarek a ï¿œcrit :
> Pascal Hambourg pisze:

>>
>> How did you do when the web server was on the router ? Can't you use the
>> same method ?
>
> Now I have one linux machine working as router and webserver. Router
> connectes LAN to internet via 3 independent links, with 3 public IPs.

You already said that. It does not answer my question.

terryc

unread,
Nov 4, 2009, 9:20:22 PM11/4/09
to

Err, doesn't the router handle this automatically? AFIUI, just because
you forward ports 80 & 443, the packet doesn't loose the origination
address and the web server will just send its reply to that address. Do
you just need to allow the webserver to send packets outside in iptables?


Ken Sims

unread,
Nov 5, 2009, 12:28:57 AM11/5/09
to
Hi Jarek -

On Wed, 04 Nov 2009 23:24:44 +0100, Jarek <ja...@nospam.pl> wrote:

>Now I have one linux machine working as router and webserver. Router
>connectes LAN to internet via 3 independent links, with 3 public IPs.
>Now I want to setup DMZ with dedicated webserver. It works if I'm
>connecting from internet to IP on which there is default gateway (let
>say IP1), but if I'm connecting to IP2, packets are forwarded properly
>to webserver, but responding packets are going via IP1.

To handle multiple external IP addresses, where the request could have
come in through any of the interfaces, you need one local IP address
on the server for each external IP address. So in your case you need
three IP addressses on the server. They can all be on the same
physical interface.

You DNAT one-to-one between the external IP addresses on the router
and the internal IP addresses on the server.

You use advanced routing to route the outgoing packets based on which
IP address on the server they are coming from. You'll need a special
routing table to match up with each DNAT rule, then advanced routing
rules to point to the special tables.

To handle internal access, you use the advanced routing rules to route
internal traffic using the main routing table before the special rules
kick in.

--
Ken

0 new messages