0

I have 3 machines with the following IP addresses : -

Machine 1 : - 10.10.10.20 Machine 2 :- 10.10.10.21 Machine 3 : - 10.10.10.22

The jBoss server is started on Machine 1 and Machine 3 is client. If I type 10.10.10.21 (ip address of Machine 2) in the browser on Machine 3, I should be redirected to the the default jBoss page of the jBoss server launched on Machine 1. However, typing 10.10.10.20 (IP address of Machine 1) in the browser on Machine 3 should not work. That is, the client on Machine 3 should be able to access the jBoss server on Machine 1 only through Machine 2 and not directly.

Note that the 3 machines are a part of a private network with a firewall. I was thinking of using iptables on machine 2 (RHEL installed) but I am unable to use it properly.

Can anyone suggest how I can achieve this setup (using iptables or by any other means)

I tried running the the following iptables command on Machine 2: - 

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination     10.10.10.20

But I am still unable to access Machine 1 from Machine 3 through Machine 2.

Thanks, bot

CKing
  • 113
  • 1
  • 7

2 Answers2

3

You could just run a reverse HTTP proxy (Apache, Squid, varnish, nginx) on machine2. This is actually a fairly common configuration with application servers, where a "front-end" proxy is used to provide caching and failover for a backend application.

You would then have iptables rules on machine1 that would only allow connectivity from machine 2.

larsks
  • 43,623
  • 14
  • 121
  • 180
  • Thanks for the tip. The reason why I want this kind of a setup is that I want to block incoming requests to some ports (RMI,JNDI,JMS, etc) on Machine 2 and check how my java client application on Machine 3 is affected when these ports are blocked by a firewall, wrongly configured in NAT,etc (Machine 2 in this case). Will I be able to achieve this objective using a reverse HTTP proxy?. Also, can u elaborate more on the iptable commands to be used on Machine 1? – CKing Jun 23 '11 at 14:22
  • If you are communicating using protocols other than http then no, an http proxy will not do what you want. As for iptables, I believe there is already a lot of good information out there on how to block specific ports. If you can't get iptables to do the connection forwarding you want, you can use a generic tcp proxy (like balance, or xinetd, or something) to accomplish the same thing. – larsks Jun 23 '11 at 15:36
  • Thanks once again. I will try out your suggestion and post back the results soon. – CKing Jun 24 '11 at 05:40
  • Tried the following command on machine 2 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 10.10.10.20:80. However, I get a connection timed out error in the browser on machine 3 after some time when I type 10.10.10.21:80 in the browser. What did I do wrong here? – CKing Jun 24 '11 at 09:40
1

I managed to forward requests coming to Machine 2 to Machine 3 by using iptables. Ignore the comments in the script as they may not be correct explanations for the commands.

    #!/bin/bash

    #Execute the following command to enable ip forwarding if it is not already enabled.
    #echo 1 > /proc/sys/net/ipv4/ip_forward

    #nat to forward all requests to specified ports on Machine 2 to specified ports on Machine 1.
    iptables -t nat -A PREROUTING -p tcp -d 10.10.10.21 --dport 80 -j DNAT --to 10.10.10.20:80
    iptables -t nat -A PREROUTING -p tcp -d 10.10.10.21 --dport 1099 -j DNAT --to  10.10.10.20:1099
    iptables -t nat -A PREROUTING -p tcp -d 10.10.10.21 --dport 1098 -j DNAT --to 10.10.10.20:1098

    #Allow response from Machine 1 to Machine 2. 
    iptables -t nat -A POSTROUTING -d 10.10.10.20 -j MASQUERADE

This script causes all http,rmi and naming service requests made to Machine 2 to be forwarded to Machine 1.

CKing
  • 113
  • 1
  • 7