Re: [Openvds-devel] iptables

openvds-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Openvds-devel] iptables

From:	Eje Gustafsson
Subject:	Re: [Openvds-devel] iptables
Date:	Sun, 9 Dec 2001 20:09:31 -0600

I not played around with that part. I just recently started to play
with iptables was using ipchains until recently so not entire familiar
with iptables. However the chain that is being used is called
PREROUTING and there is something that is called POSTROUTING also and
in between we got OUTPUT.
My understanding is that PREROUTING only affects packages that enter
the machine. POSTROUTING only packages that leave the firewall.
So to be able to alter locally generated traffic you need to alter in
the OUTPUT chain (from my understanding the output been/is slightly
broken and not functioning as should so this might been/be the reason
why this one was not/is not used)

Personally I never seen a browser that ever used udp to connect to
port 80 or 443. Guess I could always setup a rule on my firewall to
log any usage of udp to port 80 or 443 and let it run and see if I
after a few days have any calls using udp on these ports.
What would happen if you didn't have the rules there in place ?
Nothing much would be my guess all browsers I seen use tcp at all
times so shouldn't be any problem. If someone do something very odd or
weird I guess the call would fail if the rules wasn't there.



SG> Hi,

SG> (I sent this message a couple of weeks ago to the freeVSD list, but got no
SG> response so I'm resending.)

SG> Running under linux 2.4, redirecting HTTP using iptables works well except
SG> that I'm finding the redirection only works when connecting from other hosts
SG> on the network, not from the server itself.

SG> Example, on the host server (or in a vs, makes no difference):

SG>     $ lynx http://vsone/
SG>     Cannot connect to server

SG>     $ lynx http://vsone:8080/
SG>     Works fine

SG> But opening http://vsone/ on port 80 works fine from other hosts on the
SG> network/Internet.

SG> Are there any netfilter gurus here who can suggest some additional iptables
SG> rules to make this work?

SG> The rules generated by freeVSD look like this (from my
SG> /etc/sysconfig/iptables):

SG> [0:0] -A PREROUTING -d 192.168.0.150 -p tcp -m tcp --dport 80 -j
SG> DNAT --to-destination 192.168.0.150:8080
SG> [0:0] -A PREROUTING -d 192.168.0.150 -p udp -m udp --dport 80 -j
SG> DNAT --to-destination 192.168.0.150:8080
SG> [0:0] -A PREROUTING -d 192.168.0.150 -p tcp -m tcp --dport 443 -j
SG> DNAT --to-destination 192.168.0.150:8443
SG> [0:0] -A PREROUTING -d 192.168.0.150 -p udp -m udp --dport 443 -j
SG> DNAT --to-destination 192.168.0.150:8443

SG> PS: are those udp rules really necessary?

SG> Cheers,

SG> Simon Garner

[Prev in Thread]

Current Thread

[Next in Thread]

[Openvds-devel] iptables, Simon Garner, 2001/12/09
- Re: [Openvds-devel] iptables, Eje Gustafsson <=
  - Re: [Openvds-devel] iptables, Simon Garner, 2001/12/09
    - [Openvds-devel] Bounces, Simon Garner, 2001/12/09
    - Re: [Openvds-devel] Bounces, Eje Gustafsson, 2001/12/09
    - Re: [Openvds-devel] Bounces, Eje Gustafsson, 2001/12/10
    - RE: [Openvds-devel] Bounces, Dave Cost, 2001/12/10
    - Re: [Openvds-devel] Bounces, Simon Garner, 2001/12/10
    - RE: [Openvds-devel] Bounces, Dave Cost, 2001/12/10
    - Re: [Openvds-devel] iptables, Eje Gustafsson, 2001/12/09
- Re: [Openvds-devel] iptables, Chris Fulton, 2001/12/09
- Re: [Openvds-devel] iptables, jimmy, 2001/12/11

Prev by Date: [Openvds-devel] freevsd hijack and 4.5.10 /redhat 7.2 installation
Next by Date: Re: [Openvds-devel] iptables
Previous by thread: [Openvds-devel] iptables
Next by thread: Re: [Openvds-devel] iptables
Index(es):
- Date
- Thread