[olug] iptables behind router

William E. Kempf wekempf at cox.net
Tue Sep 14 07:21:47 UTC 2004


On Mon, September 13, 2004 5:57 pm, Jeff Hinrichs said:
> William E. Kempf said:
>> Here's my network topology:
>>
>> [cable modem (cox)]<--->[router]<--->[comp A]
>>                                 <--->[comp B]
>>                                 <--->[WAP]<--->[laptop]
>>
>> The router is a Linksys router, and the built in firewall is
>> minimalistic (well, at least what's readily available with out
>> hacking... I realize it's a Linux box under the covers).  For me, the
>> biggest problem is that it only allows you to forward 5 ports, and I run
>> a lot more servers than that.  So, I DMZed [comp A], my Linux box, and
>> have set up iptables on it.
>>  I can open specific ports on this computer easily enough, so for the
>> most
>> part life is grand.  However... I'd like to be able to have [comp A]
>> forward some ports to [comp B].
>
> While not the answer to your specific question, this might solve your
> problem.
>
> Have the linksys do the port-forwarding for you.  You can forward a range
> of ports from the router to an internal IP address.  The machines you are
> forwarding to will need to have static internal IP addresses.
>
> i.e. assuming the following for purposes of explanation:
> CompA is 192.168.1.7
> CompB is 192.168.1.8
> WAP is a 192.168.1.9
> laptop is configured by DHCP in a range outside of the previously
> mentioned IPs.

That's the problem though.  All machines already run with static IPs, but
the Linksys is very limited in the number of ports it can forward.  Using
ranges helps, but in my situation, isn't enough.  The public interface on
the router just won't allow me to route all the ports I need to.

> Then in the advance menu of the linksys, tell it to forward ports
> 8080-8080 to 192.168.1.7, and ports 8081-8081 to 192.168.1.8, you could
> then have apache running on both CompA @ port 8080, and on CompB on port
> 8081
>
> Then requests to http://YOURPUBLICIP:8080/ would go to apache on CompA and
> requests to http://YOURPUBLICIP:8081/ would go to apache on CompB.  Apache
> is just an example, you can configure other services, ssh, cvs, svn, etc..
> to listen on whatever port you want.
>
> Running multiple interfaces on a computer behind a NAT'd firewall to serve
> as a second router might just confuse you to tears if you haven't had
> any/much experience with it.  While in the realm of possibility, its
> probably not the thing you are trying to work at right now.  *I could be
> very wrong about that, my apologies if so*

Actually, I'm trying to avoid the multiple interface part of this
equation.  So it's probably worse.  But this is truly what I want to do.

> Also, one more thing, Running a client on the DMZ and forwarding a port
> will cause one of the two to take precedence, both will not get the
> incoming packet.  I don't recall with linksys which takes the packet.  But
> I'd shutdown the DMZ while you are getting this set up so as not to
> complicate the situation.

The forward takes precedence.  The DMZ only recieves traffic not
specifically routed.

-- 
William E. Kempf
wekempf at cox.net



More information about the OLUG mailing list