Topic: I REALY NEED TO FORWARD PORT 80

[steven]

Dear All,

I know you would say the answer to the question is Proxypass, but please hear the whole story;

I have a SME in public Server gateway mode. There is a MS IIS5 behind the SME. IIS is using a technique called  "host name header" that scans the header and understand which Virtual host/Directory/Domain need to direct the packet to in IIS. Using proxyPass the IIS would not recognize the host from the header.

I NEED to forward the PORT 80 on eth1 of SME to port 80 on internal IIS server. I have setup SME APACHE to listen on port 5000 instead. Using portforwarding panel I have forwarded the port 80 to internal IIS host port 80. IT DOSN'T work. I understand that I can't forward a port if there is a service associated to that port. I have even stoped SME APACHE, still no luck! Forwarding another port like 8030 works fine but not port 80...

Can any one please explain why this would not work?


Best Regards

Steven

[Ergin]

Why don't you read what's been said in following URL

I personally think using iptables with DNAT would work for you.

http://www.e-smith.org/bboard//read.php?f=3&i=35583&t=35583

[steven]

Ergin,

I have already tried:


iptables -A FORWARD -i eth1 -o eth0 -p tcp --syn --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.10:80


No sucess


I also read, to watch that there isn't another rule which is blocking it. Is there such a rule in SME firewall?

regards

Steven

[ryan]

Steven,

I am not a linux command line guru, but I have used SME since version 4.1.2.  If you have another low end computer available, say a PIII with 128mb of RAM and 3 nic cards, you can install IPCop firewall.  If you have only a single internet IP to work with, you can setup IPCop on your external internet IP.  SME would then connect it's external nic to the DMZ subnet of IPCop..(I use 172.16.x.x for DMZ).  This will result in two available gateways on your internal lan...one for SME and one for IPCop...your clients will use which ever is the dhcp server assigns by default.  

IPCop is easy to install and has an excellent web admin interface.  It is only a router, and does not have apache, samba, or email, so you can port forward any port to SME on the DMZ or any host on your internal network.   Just remember if IPCop forwards to an internal client, that client must use IPCop as its gateway.  Since your wanting to port forward 80 to an IIS web server which should have a static IP address, this is not a problem.  

IPCop also has IPSEC VPN built in that is easy to use.  I even have remote locations that use a $130 Linksys VPN router to connect the IPSEC tunnel to IPCop.  I personally have found SME addon features (IPSEC & Port Forwarding) problematic when attempting to upgrade SME, so I keep SME default and rely on IPCop for true router functions.

Good luck,

RS

[Ergin]

Hi there !

I am NOT ex expert on iptables (like that would stop me from trying) BUT I think you should do something like this...

# iptables -t nat -A PREROUTING -p tcp YOUR_EXTERNAL_IP --dport 80 -j DNAT --to YOURINTERNAL_IIS_SERVERS_IP:80

Good luck.

[Sterling]

I had a problem similar to this once and if my memory serves me correctly I had to stop/disable the squid service for it to work.

> I NEED to forward the PORT 80 on eth1 of SME to port 80 on
> internal IIS server. I have setup SME APACHE to listen on
> port 5000 instead. Using portforwarding panel I have
> forwarded the port 80 to internal IIS host port 80. IT DOSN'T
> work. I understand that I can't forward a port if there is a
> service associated to that port. I have even stoped SME
> APACHE, still no luck! Forwarding another port like 8030
> works fine but not port 80...

Regards,
Sterling

[Charlie Brady]

steven shouted (apparantly unaware that it is rude to shout):

> I know you would say the answer to the question is Proxypass,

It is.

> but please hear the whole story;
>
> I have a SME in public Server gateway mode. There is a MS
> IIS5 behind the SME. IIS is using a technique called  "host
> name header" that scans the header and understand which
> Virtual host/Directory/Domain need to direct the packet to in
> IIS. Using proxyPass the IIS would not recognize the host
> from the header.

Have you tried? Apache uses the host header to determine which virtual host is being addressed. Moreover, Apache's proxypass module will pass on the host header unmodifed, so there's no reason that IIS wouldn't recognise it (unless IIS is not correctly configured).

Charlie

[Boris]

<
Charlie>>

I can confirm, that proxypass works correctly in this situation.
We've been using it to forward multiple pages (different headers) to the same internal IIS server successfully.

Give it another try before rejecting it.

[steven]

Hi all,


I am sorry to shout. It was an act of desperation more than anything. I will behave myself

I read the manual for IIS5. The "host name header" is only works with HTTP 1.1. I understand that ProxyPass also works with HTTP 1.1, but looking at my http logs "val/log/httpd/access_log" shows that request sent as HTTP 1.0. I am not sure if these logs are the right logs to look at?

Also Charlie mentioned, "Apache uses the host header to determine which virtual host is being addressed". Is this feature part of ProxyPass or need to be activated separately?

Thanks again.

Regards


Steven

[Boris]

Try this one.
http://tech-geeks.org/contrib/loveless/proxypass/dmc-mitel-proxypass-0.0.1-3.noarch.rpm

[steven]

Thanks Boris,

I have used the ProxyPass with no luck. Is this a new version of PropxyPass?


Regards

Steven

[Boris]

This version has been fixed by Abe Loveless to work on 5.5 and 5.6 versions of SME correctly. Older version(s) work properly only on e-smith 5.1.2.

[Steve]

Hi All.

Are there any plans to get this working on v6.
Just wondering.

Steve

[Alejandro Lengua]

I need to forward other ports 25 and 110 on SME5.6 I installed portforwarding contrib, but seems to be not working.

I wonder where can I see the rules it is creating at SME, IPTables?
How can I create those rules by hand...

On SME6 there is an email server delegation feature... is there something similar for SME 5.6?

[Boris]

Alejandro,
before you forward mail ports to internal server, you need to shut it down comletely on the SME server.
Where is e-mail delegation feature on SME 5.6 as well. It is in the "e-mail retrival" panel of server-manager