iptables: hide the real web server from users

iptables: hide the real web server from users

[Tim Perton]

Dear friends,
I have a web server running on system B. I run my main
services to System B but I do not want my users to
talk to system B directly.
So I have another server (System A) in a differrent
ISP & a completely different C class IP address like
below:

-----------------------------
--- System A (IP=a.b.c.d) ---
-----------------------------

-----------------------------
--- System B (IP=e.f.g.h) ---
-----------------------------

System A runs iptables(redhat EL4).

I want my users to do a request like
http://a.b.c.d/1.php and then machine A to make the
same request to System B, get the results and send
them back to the user transparently.
Practically System A to act as an intermediatery to
the real machine (System B).

Any idea on how to do this?

Regards,
Tim Perton


 
____________________________________________________________________________________
Food fight? Enjoy some healthy debate 
in the Yahoo! Answers Food & Drink Q&A.
http://answers.yahoo.com/dir/?link=list&sid=396545367

Re: iptables: hide the real web server from users

[Rodrigo Montoro (Sp0oKeR)]

   I don' t think iptables is your best option for that.
   Try mod_security, mod_rewrite or apache proxy .

Regards,

On 2/14/07, Tim Perton <grpanosgr@yahoo.com> wrote:
> Dear friends,
> I have a web server running on system B. I run my main
> services to System B but I do not want my users to
> talk to system B directly.
> So I have another server (System A) in a differrent
> ISP & a completely different C class IP address like
> below:
>
> -----------------------------
> --- System A (IP=a.b.c.d) ---
> -----------------------------
>
> -----------------------------
> --- System B (IP=e.f.g.h) ---
> -----------------------------
>
> System A runs iptables(redhat EL4).
>
> I want my users to do a request like
> http://a.b.c.d/1.php and then machine A to make the
> same request to System B, get the results and send
> them back to the user transparently.
> Practically System A to act as an intermediatery to
> the real machine (System B).
>
> Any idea on how to do this?
>
> Regards,
> Tim Perton
>
>
>
> ____________________________________________________________________________________
> Food fight? Enjoy some healthy debate
> in the Yahoo! Answers Food & Drink Q&A.
> http://answers.yahoo.com/dir/?link=list&sid=396545367
>
>


-- 
=====================
 Rodrigo Ribeiro Montoro
Desenvolvedor BRMAlinux
  spooker@brc.com.br
       RHCE/LPIC-I
=====================

RE: iptables: hide the real web server from users

[Rob Sterenborg]

netfilter-bounces@lists.netfilter.org wrote:
>    I don't think iptables is your best option for that.
>    Try mod_security, mod_rewrite or apache proxy .

Or Squid.


Grts,
Rob

> On 2/14/07, Tim Perton <grpanosgr@yahoo.com> wrote:
>> Dear friends,
>> I have a web server running on system B. I run my main
>> services to System B but I do not want my users to
>> talk to system B directly.
>> So I have another server (System A) in a differrent
>> ISP & a completely different C class IP address like below:
>> 
>> -----------------------------
>> --- System A (IP=a.b.c.d) ---
>> -----------------------------
>> 
>> -----------------------------
>> --- System B (IP=e.f.g.h) ---
>> -----------------------------
>> 
>> System A runs iptables(redhat EL4).
>> 
>> I want my users to do a request like
>> http://a.b.c.d/1.php and then machine A to make the
>> same request to System B, get the results and send
>> them back to the user transparently.
>> Practically System A to act as an intermediatery to the real machine
>> (System B). 
>> 
>> Any idea on how to do this?
>> 
>> Regards,
>> Tim Perton

RE: iptables: hide the real web server from users

[Robert LeBlanc]

Squid would also do this for you.

Robert LeBlanc

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Rodrigo Montoro (Sp0oKeR)
> Sent: Wednesday, February 14, 2007 6:08 AM
> To: Tim Perton
> Cc: netfilter@lists.netfilter.org
> Subject: Re: iptables: hide the real web server from users
> 
>    I don' t think iptables is your best option for that.
>    Try mod_security, mod_rewrite or apache proxy .
> 
> Regards,
> 
> On 2/14/07, Tim Perton <grpanosgr@yahoo.com> wrote:
> > Dear friends,
> > I have a web server running on system B. I run my main
> > services to System B but I do not want my users to
> > talk to system B directly.
> > So I have another server (System A) in a differrent
> > ISP & a completely different C class IP address like
> > below:
> >
> > -----------------------------
> > --- System A (IP=a.b.c.d) ---
> > -----------------------------
> >
> > -----------------------------
> > --- System B (IP=e.f.g.h) ---
> > -----------------------------
> >
> > System A runs iptables(redhat EL4).
> >
> > I want my users to do a request like
> > http://a.b.c.d/1.php and then machine A to make the
> > same request to System B, get the results and send
> > them back to the user transparently.
> > Practically System A to act as an intermediatery to
> > the real machine (System B).
> >
> > Any idea on how to do this?
> >
> > Regards,
> > Tim Perton
> >
> >
> >
> >
>
________________________________________________________________________
__
> __________
> > Food fight? Enjoy some healthy debate
> > in the Yahoo! Answers Food & Drink Q&A.
> > http://answers.yahoo.com/dir/?link=list&sid=396545367
> >
> >
> 
> 
> --
> =====================
>  Rodrigo Ribeiro Montoro
> Desenvolvedor BRMAlinux
>   spooker@brc.com.br
>        RHCE/LPIC-I
> =====================

Re: iptables: hide the real web server from users

[Grant Taylor]

Tim Perton wrote:
> I want my users to do a request like
> http://a.b.c.d/1.php and then machine A to make the
> same request to System B, get the results and send
> them back to the user transparently.

Technically you can do what you are wanting to do.  However there are a 
few caveats that you need to be aware of when doing such.

1)  System B will see System A as the connecting host, not the real client.
2)  If System B is not ""behind System A (as you have described it to 
not be) it will have to send the traffic back to System A which will 
then send the traffic back to the client.  Translation, System B can not 
send the traffic directly to the client with out breaking the TCP 
connection state on the client.
3)  System A will be using more bandwidth by doing this.

If all the above are ok with you, consider doing the following on system A.

# Port forward web traffic originally to System A over to System B.
iptables -t nat -A PREROUTING -i $INet -d $SystemA_IP -p tcp --dport 80 
-j DNAT --to-destination $SystemB_IP:$SystemB_Port
# SNAT traffic to System B's web server to appear to be from System A.
iptables -t nat -A POSTROUTING -o $INet -d $SystemB_IP -p tcp --dport 
$SystemB_Port -j SNAT --to-source $SystemA_IP

If you have any questions, ask.



Grant. . . .

RE: iptables: hide the real web server from users

[Tim Perton]

Thank you all for your quick reply.
Ok for web traffic squid is fine.
But if I have a binary socket input/output thread and
want to pass them transparently between the user and
System B through System A, i think that only iptables
can do that in tcp layer.

Any ideas on this?

Tim

--- Robert LeBlanc <robert@leblancnet.us> wrote:

> Squid would also do this for you.
> 
> Robert LeBlanc
> 
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-
> > bounces@lists.netfilter.org] On Behalf Of Rodrigo
> Montoro (Sp0oKeR)
> > Sent: Wednesday, February 14, 2007 6:08 AM
> > To: Tim Perton
> > Cc: netfilter@lists.netfilter.org
> > Subject: Re: iptables: hide the real web server
> from users
> > 
> >    I don' t think iptables is your best option for
> that.
> >    Try mod_security, mod_rewrite or apache proxy .
> > 
> > Regards,
> > 
> > On 2/14/07, Tim Perton <grpanosgr@yahoo.com>
> wrote:
> > > Dear friends,
> > > I have a web server running on system B. I run
> my main
> > > services to System B but I do not want my users
> to
> > > talk to system B directly.
> > > So I have another server (System A) in a
> differrent
> > > ISP & a completely different C class IP address
> like
> > > below:
> > >
> > > -----------------------------
> > > --- System A (IP=a.b.c.d) ---
> > > -----------------------------
> > >
> > > -----------------------------
> > > --- System B (IP=e.f.g.h) ---
> > > -----------------------------
> > >
> > > System A runs iptables(redhat EL4).
> > >
> > > I want my users to do a request like
> > > http://a.b.c.d/1.php and then machine A to make
> the
> > > same request to System B, get the results and
> send
> > > them back to the user transparently.
> > > Practically System A to act as an intermediatery
> to
> > > the real machine (System B).
> > >
> > > Any idea on how to do this?
> > >
> > > Regards,
> > > Tim Perton
> > >
> > >
> > >
> > >
> >
>
________________________________________________________________________
> __
> > __________
> > > Food fight? Enjoy some healthy debate
> > > in the Yahoo! Answers Food & Drink Q&A.
> > >
>
http://answers.yahoo.com/dir/?link=list&sid=396545367
> > >
> > >
> > 
> > 
> > --
> > =====================
> >  Rodrigo Ribeiro Montoro
> > Desenvolvedor BRMAlinux
> >   spooker@brc.com.br
> >        RHCE/LPIC-I
> > =====================
> 
> 
> 



 
____________________________________________________________________________________
Sucker-punch spam with award-winning protection. 
Try the free Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/features_spam.html

Re: iptables: hide the real web server from users

[Tim Perton]

Dear Grant,
thank you very much for your quick reply.

I agree to the 3 conditions/caveats in your previous
email. I have already tried an example on this.
Let's say I want to connect to www.google.com
(216.239.59.103) so System B is www.google.com

According to your example I issue the following
commands (after stop/start iptables to be fresh):

iptables -A INPUT -p tcp -m tcp --dport 1099 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -d a.b.c.d -p
tcp --dport 1099 -j DNAT --to-destination
216.239.59.103:80

iptables -t nat -A POSTROUTING -o eth0 -d
216.239.59.103 -p tcp --dport 1099 -j SNAT --to-source
a.b.c.d

I am trying http://a.b.c.d:1099  or with telnet
a.b.c.d 1099 (Trying a.b.c.d... telnet: Unable to
connect to remote host: Connection refused)

My regards,
Tim

--- Grant Taylor <gtaylor@riverviewtech.net> wrote:

> Tim Perton wrote:
> > I want my users to do a request like
> > http://a.b.c.d/1.php and then machine A to make
> the
> > same request to System B, get the results and send
> > them back to the user transparently.
> 
> Technically you can do what you are wanting to do. 
> However there are a 
> few caveats that you need to be aware of when doing
> such.
> 
> 1)  System B will see System A as the connecting
> host, not the real client.
> 2)  If System B is not ""behind System A (as you
> have described it to 
> not be) it will have to send the traffic back to
> System A which will 
> then send the traffic back to the client. 
> Translation, System B can not 
> send the traffic directly to the client with out
> breaking the TCP 
> connection state on the client.
> 3)  System A will be using more bandwidth by doing
> this.
> 
> If all the above are ok with you, consider doing the
> following on system A.
> 
> # Port forward web traffic originally to System A
> over to System B.
> iptables -t nat -A PREROUTING -i $INet -d
> $SystemA_IP -p tcp --dport 80 
> -j DNAT --to-destination $SystemB_IP:$SystemB_Port
> # SNAT traffic to System B's web server to appear to
> be from System A.
> iptables -t nat -A POSTROUTING -o $INet -d
> $SystemB_IP -p tcp --dport 
> $SystemB_Port -j SNAT --to-source $SystemA_IP
> 
> If you have any questions, ask.
> 
> 
> 
> Grant. . . .
> 
> 



 
____________________________________________________________________________________
Looking for earth-friendly autos? 
Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
http://autos.yahoo.com/green_center/

Re: iptables: hide the real web server from users

[Grant Taylor]

Tim Perton wrote:
> Dear Grant,
> thank you very much for your quick reply.

You are welcome.

> I agree to the 3 conditions/caveats in your previous
> email. I have already tried an example on this.
> Let's say I want to connect to www.google.com
> (216.239.59.103) so System B is www.google.com

Ok.

> According to your example I issue the following
> commands (after stop/start iptables to be fresh):
> 
> iptables -A INPUT -p tcp -m tcp --dport 1099 -j ACCEPT

What filtering do you have in place?  If you do not have default 
policies of ACCEPT, you will also need to add rules to your 
filter:FORWARD chain to allow this traffic to pass through.  I.e.

iptables -A FORWARD -i eth0 -o eth0 -d 216.239.59.103 -p tcp --dport 80 
-j ACCEPT

iptables -A FORWARD -i eth0 -o eth0 -s 216.239.59.103 -p tcp --sport 80 
-j ACCEPT

> iptables -t nat -A PREROUTING -i eth0 -d a.b.c.d -p
> tcp --dport 1099 -j DNAT --to-destination
> 216.239.59.103:80
> 
> iptables -t nat -A POSTROUTING -o eth0 -d
> 216.239.59.103 -p tcp --dport 1099 -j SNAT --to-source
> a.b.c.d

These commands look ok to me.

> I am trying http://a.b.c.d:1099  or with telnet
> a.b.c.d 1099 (Trying a.b.c.d... telnet: Unable to
> connect to remote host: Connection refused)

I think you will have better luck playing with telnet to start with. 
Keep in mind that just because you enter "http://a.b.c.d..." in your web 
browser, you are doing more than connecting to that address.  You are 
also asking for a page off of the domain a.b.c.d.  So for testing, I'd 
stick with telnet, or set up a temporary hosts entry for the test domain.



Grant. . . .

Re: iptables: hide the real web server from users

[Pascal Hambourg]

Hello,

Grant Taylor a écrit :
> Tim Perton wrote:
> 
>> I want my users to do a request like
>> http://a.b.c.d/1.php and then machine A to make the
>> same request to System B, get the results and send
>> them back to the user transparently.
> 
> Technically you can do what you are wanting to do.  However there are a 
> few caveats that you need to be aware of when doing such.
> 
> 1)  System B will see System A as the connecting host, not the real client.

This can be avoided. See below.

> 2)  If System B is not ""behind System A (as you have described it to 
> not be) it will have to send the traffic back to System A which will 
> then send the traffic back to the client.

This is the reason of the 1). In order for B to send replies to A, A has 
to SNAT the forwarded connection with its own IP address. Unless you set 
up some tunnel or VPN between A and B and use it for the forwarded 
connexions (in both direction, so it may involve some advanced routing 
on A for return traffic), making B virtually "behind" A.

client ---internet--- system A (NAT) ===tunnel=== system B (server)

Re: iptables: hide the real web server from users

[Tim Perton]

I tried the forward rules too but nothing.
Still telnet a.b.c.d 1099 does not work after issuing
the following commands(no other firewalling made to
prohibit packets):

iptables -A INPUT -p tcp -m tcp --dport 1099 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0 -d 216.239.59.103
-p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0 -s 216.239.59.103
-p tcp --sport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -d a.b.c.d -p
tcp --dport 1099 -j DNAT --to-destination
216.239.59.103:80
iptables -t nat -A POSTROUTING -o eth0 -d
216.239.59.103 -p tcp --dport 1099 -j SNAT --to-source
a.b.c.d

Telnet gives:
telnet a.b.c.d 1099
Trying a.b.c.d...
telnet: connect to address a.b.c.d: Operation timed
out
telnet: Unable to connect to remote host

Is it a good idea to accept all udp packets too? I do
not know.

Has anyone used those rules and worked?

Tim.

--- Grant Taylor <gtaylor@riverviewtech.net> wrote:

> Tim Perton wrote:
> > Dear Grant,
> > thank you very much for your quick reply.
> 
> You are welcome.
> 
> > I agree to the 3 conditions/caveats in your
> previous
> > email. I have already tried an example on this.
> > Let's say I want to connect to www.google.com
> > (216.239.59.103) so System B is www.google.com
> 
> Ok.
> 
> > According to your example I issue the following
> > commands (after stop/start iptables to be fresh):
> > 
> > iptables -A INPUT -p tcp -m tcp --dport 1099 -j
> ACCEPT
> 
> What filtering do you have in place?  If you do not
> have default 
> policies of ACCEPT, you will also need to add rules
> to your 
> filter:FORWARD chain to allow this traffic to pass
> through.  I.e.
> 
> iptables -A FORWARD -i eth0 -o eth0 -d
> 216.239.59.103 -p tcp --dport 80 
> -j ACCEPT
> 
> iptables -A FORWARD -i eth0 -o eth0 -s
> 216.239.59.103 -p tcp --sport 80 
> -j ACCEPT
> 
> > iptables -t nat -A PREROUTING -i eth0 -d a.b.c.d
> -p
> > tcp --dport 1099 -j DNAT --to-destination
> > 216.239.59.103:80
> > 
> > iptables -t nat -A POSTROUTING -o eth0 -d
> > 216.239.59.103 -p tcp --dport 1099 -j SNAT
> --to-source
> > a.b.c.d
> 
> These commands look ok to me.
> 
> > I am trying http://a.b.c.d:1099  or with telnet
> > a.b.c.d 1099 (Trying a.b.c.d... telnet: Unable to
> > connect to remote host: Connection refused)
> 
> I think you will have better luck playing with
> telnet to start with. 
> Keep in mind that just because you enter
> "http://a.b.c.d..." in your web 
> browser, you are doing more than connecting to that
> address.  You are 
> also asking for a page off of the domain a.b.c.d. 
> So for testing, I'd 
> stick with telnet, or set up a temporary hosts entry
> for the test domain.
> 
> 
> 
> Grant. . . .
> 
> 



 
____________________________________________________________________________________
We won't tell. Get more on shows you hate to love 
(and love to hate): Yahoo! TV's Guilty Pleasures list.
http://tv.yahoo.com/collections/265 


 
____________________________________________________________________________________
The fish are biting. 
Get more visitors on your site using Yahoo! Search Marketing.
http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php

Re: iptables: hide the real web server from users

[Pascal Hambourg]

Tim Perton a écrit :
> I tried the forward rules too but nothing.
> Still telnet a.b.c.d 1099 does not work after issuing
> the following commands(no other firewalling made to
> prohibit packets):
> 
> iptables -A INPUT -p tcp -m tcp --dport 1099 -j ACCEPT

This rule is useless because connections to port 1099 are forwarded to 
another host. INPUT chains see only traffic for the local host.

> iptables -A FORWARD -i eth0 -o eth0 -d 216.239.59.103
> -p tcp --dport 80 -j ACCEPT

Ok.

> iptables -A FORWARD -i eth0 -o eth0 -s 216.239.59.103
> -p tcp --sport 80 -j ACCEPT

Use the connection tracking (-m state --state ESTABLISHED) to deal with 
return traffic.

> iptables -t nat -A PREROUTING -i eth0 -d a.b.c.d -p
> tcp --dport 1099 -j DNAT --to-destination
> 216.239.59.103:80

Ok.

> iptables -t nat -A POSTROUTING -o eth0 -d
> 216.239.59.103 -p tcp --dport 1099 -j SNAT --to-source
> a.b.c.d

The rule must match on destination port 80 instead of 1099, because it 
occurs after the destination port has been translated. Remember the path 
is :
PREROUTING (DNAT) -> FORWARD -> POSTROUTING (SNAT)

Re: iptables: hide the real web server from users

[Martijn Lievaart]

Tim Perton wrote:
> Thank you all for your quick reply.
> Ok for web traffic squid is fine.
> But if I have a binary socket input/output thread and
> want to pass them transparently between the user and
> System B through System A, i think that only iptables
> can do that in tcp layer.
>
> Any ideas on this?
>   

Look at rinetd.

HTH,
M4