[NTLUG:Discuss] port forwarding for multiple servers

[Paul Ingendorf]

I can't tell you about IPCOP but with iptables you can do this fairly painlessly.  Everything in IPCOP is based off packages readily available so I couldn't imagine it to be all that difficult.

This is how I would do it.

ifconfig ethX:1 x.x.x.x netmask a.a.a.a broadcast b.b.b.b

iptables -t nat -A PREROUTING -i ethX:1 -d x.x.x.x -p tcp --dport 80 -j DNAT --to y.y.y.y

Where x.x.x.x is the external ip address y.y.y.y is the internal ip address.

Then you can run something like port sentry on the machine and block out access to all machines from an ip when a port scan is detected on this machine.  This is very simple to setup and other things can be done such that if the packet comes through this machine you can control what happens to it.


-----Original Message-----
From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
Of Raymond Norton
Sent: Monday, March 04, 2002 11:13 AM
To: discuss at ntlug.org
Subject: [NTLUG:Discuss] port forwarding for multiple servers


I set IPCOP up last week, and it is pretty cool. I posted this question on
their newsgroup. I have 3 web and mail servers. Is there a way to put them
on a DMZ or on the green interface and forward services to the individual
boxes. They did not seem to think it could be done without some fancy dns.
Does anyone know if there is a way around this, or maybe another product is
better suited. We use a pix which can do this at our gateway, but we need
to  tighten protection for individual schools inside our network. I would
like it to be straight forward without too many complexity's, since I am
just getting familiar with this.

-- 
Raymond Norton
Little Crow Telemedia Network
320-234-0270



_______________________________________________
http://www.ntlug.org/mailman/listinfo/discuss