Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )

Advanced DNS Management
New ZoneEdit. New Managment.


Sign Up Now
> DMZ Without the Risk, DMZ Without the Risk
post Nov 8 2013, 01:09 PM
Post #1

Whats this Lie-nix Thing?

Group: Members
Posts: 1
Joined: 3-November 13
Member No.: 18,572

o now we have a VPN client, VPN server and now we池e ready to get our pseudo site-to-site network going. We値l test this with a simple web server first. While I hate using it, for this purpose we値l be using Apache and we値l test both HTTP and HTTPS.

On the client machine lets install Apache:


root@SKYNet:/etc/openvpn# apt-get install apache2

Apache should auto-start on the client server, so visit your client machine via web browser and see if a web page shows up. Cool huh?

Well, we値l take this a step further. Remember the inet address I told you to make note of in the last part? This is where it値l come in handy. On the server we are going to mess with iptables a little bit.

We値l enter two iptables commands on the server:


root@cs01:/etc/openvpn/easy-rsa# iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination
root@cs01:/etc/openvpn/easy-rsa# iptables -t nat -I POSTROUTING -j MASQUERADE

While I won稚 get into a whole guide on how iptables works, basically since we want to forward traffic to another machine without ever concerning ourselves with it on the VPN server we need to use the NAT (network address translation) table. If you are familiar with basic iptables then PREROUTING can be compared to the INPUT chain and POSTROUTING compared to the OUTPUT chain. So everything on the server end we want to route to a client machine should go in the NAT痴 PREROUTING chain.

For prerouting we are basically saying any traffic on TCP/80 is to be redirect to (our client machine). if you set up Apache to run on a different port then you would just change 80 to whatever port its running on.

Now, I知 not going to pretend to be a guru with iptables (i.e.: man pages are my friend), but the postrouting table basically says 殿ny packet leaving me will have my IP address. Per the man pages themselves regarding MASQUERADE:

It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are forgotten when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway).

Since this is on a VPS it would be safe to do the SNAT route instead, but rather be on the safe side knowing how my luck with VPSes is. Basically, if you have a static IP it recommends using SNAT, otherwise use MASQUERADE.

What about HTTPS, though? Well, lets do that now! First, on the server we値l add a new rule to iptables PREROUTING:

Go to the top of the page
+Quote Post

Posts in this topic
- hung   DMZ Without the Risk   Nov 8 2013, 01:09 PM
- - addseo1115   Thanks. casino   May 11 2015, 01:44 AM
- - livingroom   Thank you. gclub goldenslot   Jun 10 2015, 04:41 AM
- - iplaypoeonline00   thank you very much.goldenslot   Aug 25 2015, 03:55 AM
- - Desktopy   Thanks for Data goldenslot gclubslot   Mar 26 2016, 04:45 AM

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:


RSS Lo-Fi Version Time is now: 18th October 2017 - 08:04 AM