On Mon, Oct 19, 2009 at 2:04 AM, Barry Brimer wrote:
I have a CentOS-5.3 "main" server with a static public IP address
running Apache, OpenVPN, and a bunch of other services.

The primary IP address for the only NIC in this box is used by
Apache on standard ports 80 and 443. ? I have a secondary
static public IP address assigned to this same NIC as eth0:1

I have a working OpenVPN tunnel going to another CentOS-5.3 server
which has Apache listening on its eth0 NIC for requests on non-standard
ports 29080 and 29443(don't ask!). ?This server is accessible on its
static public IP address and thru OpenVPN tunnel from the main server.

The main server is the OpenVPN server as well, with private IP address
172.16.xxx.1/32 auto-assigned to it. ?The second server is a VPN client
with IP address 172.16.xxx.yyy/32 assigned. ?The narrow netmasks are the
OpenVPN default, presumably used for isolation among multiple clients.

OpenVPN is configured to run over the main server's NIC via its eth0:1
secondary IP address ?64.aaa.bbb.ccc ? ?The main server has a static
route set up between its eth0:1 IP and the remote server's public
IP address (not the tunnel IP). ?This route is only there so that during
initial VPN negotiations the data will move via eth0:1's IP address.

Things like ping, SSH, scp and HTTP/HTTPS all work correctly thru the
VPN in both directions, so the VPN itself is solid.

Ok, so now I want external HTTP/HTTPS requests made to the main
server's eth0:1 public IP address to be forwarded thru the VPN to the
second remote server, with port translation along the way.

Here is what I want to happen:

Outside world HTTP/HTTPS requests to eth0:1 ports 80/443
? ?|
? ?V
CentOS eth0:1 (64.aaa.bbb.ccc)
? ?|
? ?V
Translate to ports 29080/29443
? ?|
? ?V
Forward requests thru the tunnel to 172.16.xxx.yyy
? ?|
? ?V
Remote Apache responds, packets return thru VPN to "main"
? ?|
? ?V
Response goes back to the outside world via 64.aaa.bbb.ccc

HTTP/HTTPS requests to the 64.aaa.bbb.ccc public IP just hang and time out.
Direct requests to the remote server on the non-standard ports work fine.
I've tried lots of iptables example entries found on several forums but so
far none of them seem to work.

Does anyone have a cookbook-like complete set of iptables rules that will
accomplish what I need? ?Is it possible I need to set up strong-end routing
on the remote server to send the response packets back thru the VPN? (such a
pain to configure) ? Any assistance will be most gratefully received!
I don't have a cookbook per se .. but here's my 30-second attempt:

1. ?You need a PREROUTING DNAT rule to redirect traffic to the VPN address
of the other web server.
2. ?You need a POSTROUTING SNAT rule to ensure that all of the traffic
comes back to the main server (of course your web server logs will have
all the connections from the main server's VPN IP address in its log
files) **OR** the default route of the web server needs to be the VPN IP
address on the main server.
3. ?You need a POSTROUTING SNAT rule to SNAT the appropriate traffic out
from the desired IP address.

You *might* be able to you policy routing to help in steps 2 and 3.

Hope this helps,

You might want to take a look at apache's mod_proxy

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 3 of 4 | next ›
Discussion Overview
groupcentos @
postedOct 18, '09 at 10:51p
activeOct 19, '09 at 11:23p

3 users in discussion

Chuck Munro: 2 posts Barry Brimer: 1 post Bazy: 1 post



site design / logo © 2022 Grokbase