something better than port forwarding perhaps?

something better than port forwarding perhaps?

Post by Soyrunne » Tue, 19 Oct 2004 00:17:15



I have a small network of 4 systems, 2 Debian Woody, 2 Win98SE on a hub, the
gateway with 2 NICS the second NIC to a cable-modem with a stable IP address
tho DHCP.  The machines use MASQ to access the internet.  I use Apache for
web access from the internet on the gateway.  I also have Apache on one of
the local machines running a BBS.  The gateway machine has my homepage and
some pages accessed frequently by a club's members.  I use ipmasqadm portfw
to send all connects to gateway:8080 back to 80 on the system with the BBS.
This works well for the most part except at the college computer lab where a
firewall rule I assume blocks connects to port forwarded boxes.  I can
connect to the BBS from the public library and from a dial-up.

I've tried using the gateway Apache's VirtualHost to move connects to
bbs.domainname.com to domainname.com:8080.  The purpose was to allow the BBS
to be addressed without 8080 specified in the address.  Unfortunately this
failed.

http://bbs.domainname.com brings me to http://www.domainname.com instead of
http://www.domainname.com:8080 or http://domainname.com:8080, either of
which can connnect to the BBS.

The BBS system machine is on a 'non-routable' private IP address,
192.168.1.16.

So, my question:
Is what I'm trying to do possible with Apache?  I have such little activity
on my private family&friends BBS the purchase of a dedicated IP address
isn't in the picture.

Bill

 
 
 

something better than port forwarding perhaps?

Post by Allen Kistle » Tue, 19 Oct 2004 02:54:18



> I have a small network of 4 systems, 2 Debian Woody, 2 Win98SE on a hub, the
> gateway with 2 NICS the second NIC to a cable-modem with a stable IP address
> tho DHCP.  The machines use MASQ to access the internet.  I use Apache for
> web access from the internet on the gateway.  I also have Apache on one of
> the local machines running a BBS.  The gateway machine has my homepage and
> some pages accessed frequently by a club's members.  I use ipmasqadm portfw
> to send all connects to gateway:8080 back to 80 on the system with the BBS.
> This works well for the most part except at the college computer lab where a
> firewall rule I assume blocks connects to port forwarded boxes.  I can
> connect to the BBS from the public library and from a dial-up.

> [snip]

Port 8080 is common for proxies.  You college probably blocks outbound
access to non-campus proxies and perhaps lots of other stuff, too.
Their firewall would have no idea if the IP address is forwaded or not.

 
 
 

something better than port forwarding perhaps?

Post by David Efflan » Tue, 19 Oct 2004 09:52:38



> I have a small network of 4 systems, 2 Debian Woody, 2 Win98SE on a hub, the
> gateway with 2 NICS the second NIC to a cable-modem with a stable IP address
> tho DHCP.  The machines use MASQ to access the internet.  I use Apache for
> web access from the internet on the gateway.  I also have Apache on one of
> the local machines running a BBS.  The gateway machine has my homepage and
> some pages accessed frequently by a club's members.  I use ipmasqadm portfw
> to send all connects to gateway:8080 back to 80 on the system with the BBS.
> This works well for the most part except at the college computer lab where a
> firewall rule I assume blocks connects to port forwarded boxes.  I can
> connect to the BBS from the public library and from a dial-up.

> I've tried using the gateway Apache's VirtualHost to move connects to
> bbs.domainname.com to domainname.com:8080.  The purpose was to allow the BBS
> to be addressed without 8080 specified in the address.  Unfortunately this
> failed.

> http://bbs.domainname.com brings me to http://www.domainname.com instead of
> http://www.domainname.com:8080 or http://domainname.com:8080, either of
> which can connnect to the BBS.

> The BBS system machine is on a 'non-routable' private IP address,
> 192.168.1.16.

> So, my question:
> Is what I'm trying to do possible with Apache?  I have such little activity
> on my private family&friends BBS the purchase of a dedicated IP address
> isn't in the picture.

See apache docs for mod_proxy and ProxyPass which can proxy an internal
server without having to use a non-standard port. But first get your name
based virtual hosting working with something in a directory.  You need to
specify NameVirtualHost, which could be wildcard * if your public IP might
change (dynamic) or not directly on your gateway box (ie, if your modem is
a modem/router and gives you a private IP).  Note that with
NameVirtualHost, the first virtual host is the default if there is no
ServerName or ServerAlias match with another vhost.  If you do use a
non-standard port for one vhost, you may need to specify the port for all
vhosts, even IP:80.

It also helps to set UseCanonicalName off so any automatic redirects will
not get misdirected to the wrong server name.

Once you get the name virtual hosting working, you can switch from a
directory to ProxyPass to proxy the other private server.  You will not
need ipmasqadm portfw.  But isn't that from ipchains?  If your system is
so old that it only has ipchains, it should likely be updated (due to a
number of security exploits including telnet and libs used by ssh and
apache ssl).

 
 
 

1. Something complicated with port forwarding

Hi all,

I'm trying to get my head around port forwarding - none of the common
examples really match what I want to do, and I'm having trouble
modifying them to meet my needs.

I want to have one machine with several names (i.e. webtest, webdev,
webdb, webserve), which will be what the users use. The machine will
then take requests (say http requests), and on the basis of the name
used to access the machine, forward the request onto another machine.

For example, if my machine was 10.0.0.1, and had both the names
webtest and webserver, a user might type http://webserver/ in their
browser. My machine would recognise it was being accessed by the name
webserver, and then forward the request onto the real webserver,
10.0.0.2. If instead the user typed http://webtest/, the machine would
recognise that they really wanted to access the development server,
and forward the request on to 10.0.0.30.

This would be nice because we could them implement failovers (i.e. if
10.0.0.2 was not responding, it could instead farm the packet out to
10.0.0.3 instead, avoiding the caching effects present when doing this
at the nameserver level) Also, it would mean we wouldn't have to
install all our machines with the same name, etc.

I'm sure you get the idea anyway.

What do people suggest?

-Tennessee

2. Can't access network

3. HP Deskjet 855c colors messed up - suggest better printer perhaps?

4. STB Velocity 128 3D Video driver

5. port forward port 80 to port 8080

6. Backspace-HOWTO?

7. HELP Port Forwarding on Linux: Dest Port Known, Source Port High (1024-65535)

8. if http is stateless, how does apache know not to authenticate again

9. IP forwarding is only good for port forwarding of only one IP ?

10. Interleaf, MS Word, or something better -- PLEASE ??

11. Something better than xanim

12. iostat -- is there something better?

13. IS THERE SOMETHING BETTER THAN GDB?