September 12, 2008 at 8:55 pm #41180
Hi all, first post!
I am thinking of placing ZS in front of a web farm. In order to forward ports from the Red side (ETH01) to the green side (ETH00) (Web servers with ‘internal’ IPs) I need to use port forwarding / NAT – the virtual server feature.
This works flawlessly!
However, when setting up the port forward source interface, I can only select ETH001, and therefore, all IPs that I created on the WAN interface.
What I would like to do is to (for example) map two IPs on the WAN interface, same source PORTs, but different destinations. Thus enabling to host two servers on two public WAN IPs.
At the moment, if I set up a port forward to a Virtual Server, all IPs on the WAN interface forward to it, I can’t seem to be able to forward one WAN IP on it’s own to one Virtual Server.
Is there any way of achieving this?
JeffSeptember 13, 2008 at 9:17 am #46896
I know this problem and I am going to resolve it in the next release by allowing to select either the network interface or the destination IP address in the web interface. At the moment you could specify iptables command in the [Setup][Startup][NAT and Virtual Servers] startup script. Do not forget to enable the script.
FulvioSeptember 13, 2008 at 10:49 am #46897
If i could get this to work, then all my problems would be solved.
I have looked at M0n0wal, IPCOP, many many other solutions and none of them allow all the following – which I think are required for placing in front of web servers in a web farm:
Create ‘real’ multiple IPs on WAN interface, port forward NAT to VLANs. Boot from CD. Recognize Intel Gigabit NICs. Have a web GUI that enables you to control (pretty much everything).
So I am very pleased to have found ZeroShell – to me it’s the only thing that comes close to my requirement list. I’m not knocking the other products, but I think ZS is just the best fit for my type of need.
Having been used to commercial firewall GUIs that ‘hide’ stuff like firewall chains etc for a while, and not being a linux guru, I’m a bit lost with stuff like iptables.
If I ask very nicely – is there a chance, you could provide an example script for me?
In an example, say my two WAN IPs on (ETH01) are 192.168.100.10, and 192.168.100.11 – and I want to send port 80 through from these IPs to 10.0.14.10, and 10.0.14.1 respectively.
I need to look at the start up scripts, but I’m assuming that it’s a checkbox or something to enable it?
I could use this script to work out how stuff is done, and then I could (finally) lay this project to rest!
One last thing Fulvio – do you have a page on your website which lists Paypal donations? I’m not saying you need to show names of people, but just the amount. If people know that people are donating (or perhaps that people are not!?) then I think they will be more likely to give something.
I think it’s important to give something, for recognition at least!
JeffSeptember 13, 2008 at 11:13 am #46898
Try with the following lines:
iptables -t nat -A PREROUTING -p tcp –dport 80 -d 192.168.100.10 -i ETH01 -j DNAT –to-destination 10.0.14.10:80
iptables -t nat -A PREROUTING -p tcp –dport 80 -d 192.168.100.11 -i ETH01 -j DNAT –to-destination 10.0.14.11:80
FulvioSeptember 13, 2008 at 3:25 pm #46899
Perfect! That’s brilliant – works like a charm.
I did notice a little problem though. I’m guessing that sticking stuff in the ‘startup’ NAT/Virtual Server’ Script means that it only runs at ZeroShell start up?
Certainly, when I first stuck these lines in, nothing worked. I then restarted the box, and presto – it worked. Then I added two more rules, and adjusted the old ones. The new rules seemed to apply right away, but the old rules were also still working. They didn’t stop working until I restarted.
Do you think you could clarify if you need to restart for the scripts to work?
If so – this is going to be a bit of a problem, if I add a new service / web server – I’m going to have to restart the firewall, effectively disconnecting all the servers until the firewall comes up again.
There is a ‘test’ button and I’m assuming this is just validating syntax?
One firewall I have worked on (from a company called Ingate) had a nifty little feature whereby you could ‘apply’ a new/changed firewall rule, but not save it. So this was basically a sort of ‘test mode’. If you didn’t hit the ‘OK I want to save this’ within 30 seconds, whatever you did would undo itself. A nice feature if you lock yourself out by mistake!?
Anyway. I’m really pleased that ZS can NAT of multiple WAN IPs, I’m just wondering if there is a way to apply changes to this without restarting the box each time.
JeffSeptember 13, 2008 at 4:04 pm #46900
To apply the iptables rules without restarting just click on the [Test] button and then save. This is just a workaround. The next release includes the capability to specify the IP in the virtual server configuration directly by using the web interface.
FulvioSeptember 30, 2008 at 10:52 am #46901
Very much looking forward to this improvement in the virtual servers system.
Currently happy with the b9 version but I will be ecstatic when I can use it to filter from my multiple IPs.
BobNovember 14, 2008 at 5:08 pm #46902
Does anyone know if virtual servers was updated for b11?
JeffNovember 14, 2008 at 5:18 pm #46903
You must be logged in to reply to this topic.