On Mon, Oct 19, 2009 at 2:04 AM, Barry Brimer <lists at brimer.org> wrote: >> I have a CentOS-5.3 "main" server with a static public IP address >> running Apache, OpenVPN, and a bunch of other services. >> >> The primary IP address for the only NIC in this box is used by >> Apache on standard ports 80 and 443. I have a secondary >> static public IP address assigned to this same NIC as eth0:1 >> >> I have a working OpenVPN tunnel going to another CentOS-5.3 server >> which has Apache listening on its eth0 NIC for requests on non-standard >> ports 29080 and 29443(don't ask!). This server is accessible on its >> static public IP address and thru OpenVPN tunnel from the main server. >> >> The main server is the OpenVPN server as well, with private IP address >> 172.16.xxx.1/32 auto-assigned to it. The second server is a VPN client >> with IP address 172.16.xxx.yyy/32 assigned. The narrow netmasks are the >> OpenVPN default, presumably used for isolation among multiple clients. >> >> OpenVPN is configured to run over the main server's NIC via its eth0:1 >> secondary IP address 64.aaa.bbb.ccc The main server has a static >> route set up between its eth0:1 IP and the remote server's public >> IP address (not the tunnel IP). This route is only there so that during >> initial VPN negotiations the data will move via eth0:1's IP address. >> >> Things like ping, SSH, scp and HTTP/HTTPS all work correctly thru the >> VPN in both directions, so the VPN itself is solid. >> >> Ok, so now I want external HTTP/HTTPS requests made to the main >> server's eth0:1 public IP address to be forwarded thru the VPN to the >> second remote server, with port translation along the way. >> >> Here is what I want to happen: >> >> Outside world HTTP/HTTPS requests to eth0:1 ports 80/443 >> | >> V >> CentOS eth0:1 (64.aaa.bbb.ccc) >> | >> V >> Translate to ports 29080/29443 >> | >> V >> Forward requests thru the tunnel to 172.16.xxx.yyy >> | >> V >> Remote Apache responds, packets return thru VPN to "main" >> | >> V >> Response goes back to the outside world via 64.aaa.bbb.ccc >> >> >> HTTP/HTTPS requests to the 64.aaa.bbb.ccc public IP just hang and time out. >> Direct requests to the remote server on the non-standard ports work fine. >> I've tried lots of iptables example entries found on several forums but so >> far none of them seem to work. >> >> Does anyone have a cookbook-like complete set of iptables rules that will >> accomplish what I need? Is it possible I need to set up strong-end routing >> on the remote server to send the response packets back thru the VPN? (such a >> pain to configure) Any assistance will be most gratefully received! > > I don't have a cookbook per se .. but here's my 30-second attempt: > > 1. You need a PREROUTING DNAT rule to redirect traffic to the VPN address > of the other web server. > 2. You need a POSTROUTING SNAT rule to ensure that all of the traffic > comes back to the main server (of course your web server logs will have > all the connections from the main server's VPN IP address in its log > files) **OR** the default route of the web server needs to be the VPN IP > address on the main server. > 3. You need a POSTROUTING SNAT rule to SNAT the appropriate traffic out > from the desired IP address. > > You *might* be able to you policy routing to help in steps 2 and 3. > > Hope this helps, > Barry Hello, You might want to take a look at apache's mod_proxy http://httpd.apache.org/docs/2.0/mod/mod_proxy.html.