[olug] iptables behind router

Jeff Hinrichs jeffh at delasco.com
Mon Sep 13 22:57:55 UTC 2004 

William E. Kempf said:
> Here's my network topology:
>
> [cable modem (cox)]<--->[router]<--->[comp A]
>                                 <--->[comp B]
>                                 <--->[WAP]<--->[laptop]
>
> The router is a Linksys router, and the built in firewall is
> minimalistic (well, at least what's readily available with out
> hacking... I realize it's a Linux box under the covers).  For me, the
> biggest problem is that it only allows you to forward 5 ports, and I run
> a lot more servers than that.  So, I DMZed [comp A], my Linux box, and
> have set up iptables on it.
>  I can open specific ports on this computer easily enough, so for the
> most
> part life is grand.  However... I'd like to be able to have [comp A]
> forward some ports to [comp B].

While not the answer to your specific question, this might solve your
problem.

Have the linksys do the port-forwarding for you.  You can forward a range
of ports from the router to an internal IP address.  The machines you are
forwarding to will need to have static internal IP addresses.

i.e. assuming the following for purposes of explanation:
CompA is 192.168.1.7
CompB is 192.168.1.8
WAP is a 192.168.1.9
laptop is configured by DHCP in a range outside of the previously
mentioned IPs.

Then in the advance menu of the linksys, tell it to forward ports
8080-8080 to 192.168.1.7, and ports 8081-8081 to 192.168.1.8, you could
then have apache running on both CompA @ port 8080, and on CompB on port
8081

Then requests to http://YOURPUBLICIP:8080/ would go to apache on CompA and
requests to http://YOURPUBLICIP:8081/ would go to apache on CompB.  Apache
is just an example, you can configure other services, ssh, cvs, svn, etc..
to listen on whatever port you want.

Running multiple interfaces on a computer behind a NAT'd firewall to serve
as a second router might just confuse you to tears if you haven't had
any/much experience with it.  While in the realm of possibility, its
probably not the thing you are trying to work at right now.  *I could be
very wrong about that, my apologies if so*

Also, one more thing, Running a client on the DMZ and forwarding a port
will cause one of the two to take precedence, both will not get the
incoming packet.  I don't recall with linksys which takes the packet.  But
I'd shutdown the DMZ while you are getting this set up so as not to
complicate the situation.

hth,
Jeff

More information about the OLUG mailing list