#!/bin/tcsh # If you change this file, start by saying "su -". You want the dash to help # with the path. When you want to try your changes, type ./rc.firewall. setenv MAIN_EXTERNAL 69.43.145.244 setenv MAIL 69.43.145.245 setenv TEST1 69.43.145.245 setenv NEW_PROXY 69.43.145.245 setenv PROXY_HTTP 69.43.145.246 setenv TEST2 69.43.145.246 setenv STATIC_HTTP 69.43.145.249 setenv SCOTTRADE_HTTPS 69.43.145.250 # This is the web server which is usually hosted on dice, with dana as a # backup. We are sharing an IP address with mail just because that port # was available on that IP address. This is a lighttpd process, mostly # aimed at our js_proxy_server. #setenv HADOOP $MAIL # This was all merged together. Dice and dana serve as an HTTP reverse # proxy (and hot backup) for most web traffic. That all comes over # MAIN_EXTERNAL now. # Strange. A few commands require an IP address, where most allow a name setenv DRAMA 192.168.1.212 setenv SHAUNA 192.168.1.211 setenv DOM 192.168.1.214 setenv CHUCK_LIDDELL 192.168.1.219 setenv HARVEY 192.168.1.220 setenv WALLY_BALLS 192.168.1.222 setenv FOGELL 192.168.1.232 setenv JULES 192.168.1.233 setenv BECCA 192.168.1.234 setenv CANNES 192.168.1.241 setenv ITS_THE_COPS 192.168.1.203 setenv DICE 192.168.1.205 setenv DANA 192.168.1.202 setenv BOB_SAGET 192.168.1.227 setenv YAIR 192.168.1.242 setenv DAISY_MAE_128K 192.168.1.247 setenv SINCLAIR_2K 192.168.1.224 setenv COMIC_CON 192.168.1.228 setenv DONBOT 192.168.1.207 setenv Y2K 192.168.1.241 setenv MORBO 192.168.1.254 setenv JOEY_MOUSEPAD 192.168.1.238 # This is different from the setup on rosario. The names are completely # different setenv SAFE_INTERFACE eno2 setenv OUTSIDE_INTERFACE eno1 # This is also different from ari, but like rosario, this being better. # This machine has its own dedicated addresses both inside and outside of the # firewall. Only when this script is run does this machine start listening # to the addresses managed by the firewall. These commands were copied from # the LVS script on karen. I read somewhere that this way of adding IP addresses # to an interface is long depricated, but I don't know a better way. /sbin/ifconfig ${SAFE_INTERFACE}:0 192.168.1.1 /sbin/ifconfig ${OUTSIDE_INTERFACE}:0 $MAIN_EXTERNAL /sbin/ifconfig ${OUTSIDE_INTERFACE}:1 $PROXY_HTTP /sbin/ifconfig ${OUTSIDE_INTERFACE}:2 $SCOTTRADE_HTTPS # Start fresh iptables --table nat --flush iptables --table nat --delete-chain iptables --flush iptables --delete-chain # This tracks all use of our ISP. track_forwarding, below, tracks the use of each computer # (except the firewall) seperately. #iptables --new-chain track_all #iptables --append track_all --in-interface $OUTSIDE_INTERFACE -j RETURN #iptables --append track_all --out-interface $OUTSIDE_INTERFACE -j RETURN #iptables --append FORWARD -j track_all #iptables --append INPUT -j track_all #iptables --append OUTPUT -j track_all # Source NAT. Connections initiated from the inside use the firewall's IP # address as their own. iptables --table nat --append POSTROUTING --source 192.168.1.0/24 --destination 192.168.1.0/24 -j SNAT --to-source 192.168.1.1 iptables --table nat --append POSTROUTING --source 192.168.1.0/24 -j SNAT --to-source $MAIN_EXTERNAL # By default allow no new connections. iptables --policy INPUT DROP # Allow unrestricted pings and SSHs to the firewall. iptables --append INPUT --protocol icmp -j ACCEPT iptables --append INPUT --protocol tcp --destination-port 22 -j ACCEPT iptables --append INPUT --protocol tcp --destination-port 9025 -j ACCEPT iptables --append INPUT --protocol tcp --destination-port 9110 -j ACCEPT # Allow connections in progress to continue. Apparently this includes # connections started from within the firewall. iptables --append INPUT -m state --state ESTABLISHED -j ACCEPT # Allow related connections, as used in traceroute and ftp #iptables --append INPUT -m state --state RELATED -j ACCEPT # Allow unrestricted access to the firewall from the safe side of the firewall. iptables --append INPUT --in-interface $SAFE_INTERFACE -j ACCEPT iptables --append INPUT --in-interface lo0 -j ACCEPT # Destination NAT. These connections were aimed at the firewall, but the # firewall will pass them to a specific server. # Karen and Shauna are set up to do the old version of the proxy going through # Apache. Amanda is set up the new way using YAWS. YAWS is running on port # 8000 because it has trouble using the lower numbered ports. We hide that # from the outside world. #iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 80 -j DNAT --to-destination ${KAREN}:80 #iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 80 -j DNAT --to-destination ${AMANDA}:8000 #iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 80 -j DNAT --to-destination ${CHUCK_LIDDELL}:8000 # https comes in on port 443 and is sent to port 8001 internally. You cannot # use name based virtul hosting with https. Shanua is hosting # secure.trade-ideas.com. Currently karen is a hot backup for # proxy.trade-ideas.com. However, this should change in the near future. # Karen should be a complete backup for shauna, and amanda should be a hot # backup for chuck-liddell #iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 443 -j DNAT --to-destination ${CHUCK_LIDDELL}:8001 #iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 443 -j DNAT --to-destination ${AMANDA}:8001 #iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 443 -j DNAT --to-destination ${KAREN}:443 #now handled by lighttpd on this machine #iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 443 -j DNAT --to-destination ${BOB_SAGET}:8443 #iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 443 -j DNAT --to-destination ${SHAUNA}:8443 #test to see if port 25 is being blocked. #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 25 -j DNAT --to-destination ${KAREN}:22 #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8023 -j DNAT --to-destination ${CHUCK_LIDDELL}:22 iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8026 -j DNAT --to-destination ${DRAMA}:22 iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8027 -j DNAT --to-destination ${SHAUNA}:22 #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8029 -j DNAT --to-destination ${DOM}:22 #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8031 -j DNAT --to-destination ${HARVEY}:22 iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8032 -j DNAT --to-destination ${BECCA}:22 #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8033 -j DNAT --to-destination ${WALLY_BALLS}:22 iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8034 -j DNAT --to-destination ${COMIC_CON}:22 iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8041 -j DNAT --to-destination ${JOEY_MOUSEPAD}:22 #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9080 -j DNAT --to-destination 192.168.0.102-192.168.0.104:80 iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9080 -j DNAT --to-destination 192.168.0.201:80 #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 3200 -j DNAT --to-destination 192.168.0.102-192.168.0.104:80 iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 3200 -j DNAT --to-destination 192.168.0.201:80 # Test an individual HTTP server. iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 2001 -j DNAT --to-destination ${SHAUNA}:80 # ftp #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 20 -j DNAT --to-destination ${WILL} #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 21 -j DNAT --to-destination ${WILL} #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 1040:1049 -j DNAT --to-destination ${WILL} # named - not advertised, but should not be a real problem. Eventually we may # host our own name server, but for now this is just for our own client # machine. #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 53 -j DNAT --to-destination $WILL #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol udp --destination-port 53 -j DNAT --to-destination $WILL # new server # scottrade uses port 443. We send them to server.trade-ideas.com:443 # test port - used to see if someone could, in all likelyhood, attach to the # new server. Used by our test program. The first one should display the # time and exit quickly. The second one should quickly reject the packet. # The third one should work like the first; we want to see if more people have # Does anyone still use this? It's not delivered as part of TI Pro 3.x. # It will probably be broken as part of installing the new firewall on 4/12/2015 # their https port wide open than other ports. #iptables -t nat --append PREROUTING --destination $TEST1 --protocol tcp --destination-port 8888 -j DNAT --to-destination ${CHUCK_LIDDELL}:13 iptables -t nat --append PREROUTING --destination $TEST2 --protocol tcp --destination-port 8888 -j DNAT --to-destination ${SHAUNA}:8888 # The following port has been reused. It now points to the new micro_proxy #iptables -t nat --append PREROUTING --destination $TEST1 --protocol tcp --destination-port 443 -j DNAT --to-destination ${CHUCK_LIDDELL}:13 # This was an old attempt at load balancing. iptables does a poor job of load balancing. #iptables -t nat --append PREROUTING --destination $EXTERNAL6 --protocol tcp --destination-port 8086 -j DNAT --to-destination ${WILL}:80 --to-destination ${KAREN}:80 ## Do not accept an external request for forwarding. ## Allow forwarding that we create through DNAT. ## Allow forwarding from the inside, out. ## If someone knew enough about the inside of the network, they could ask to be ## routed to a specific machine on the inside. #iptables --append FORWARD -m conntrack --in-interface eth1 --ctorigdst 192.168.0.0/16 -j REJECT # for some reason this doesn't work. It matches stuff that came into the # firewall the right way. # By default do not allow forwarding. # If someone knew enough about the inside of the network, they could ask the # firewall to be a gateway. iptables --policy FORWARD DROP #iptables --new-chain track_forwarding #iptables --append FORWARD -j track_forwarding # Allow connections in progress to continue. iptables --append FORWARD -m state --state ESTABLISHED -j ACCEPT # Allow new connections to continue. iptables --append FORWARD --in-interface $SAFE_INTERFACE -j ACCEPT # Mosh -- Mobile shell -- https://mosh.org/ iptables -A INPUT -p udp -m multiport --dports 60000:61000 -j ACCEPT # TIQ server for weston. They use westin.trade-ideas.com:9339 iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9339 -j DNAT --to-destination ${FOGELL} iptables --append FORWARD --destination fogell --protocol tcp --destination-port 9339 -j ACCEPT # TIQ test server for weston. iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9338 -j DNAT --to-destination ${JULES}:9339 iptables --append FORWARD --destination jules --protocol tcp --destination-port 9339 -j ACCEPT #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9339 -j DNAT --to-destination ${BECCA} iptables --append FORWARD --destination becca --protocol tcp --destination-port 9339 -j ACCEPT # Test TI Pro server for Xetra #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9999 -j DNAT --to-destination ${BECCA} #iptables --append FORWARD --destination becca --protocol tcp --destination-port 9999 -j ACCEPT # The following are valid and safe destinations #iptables --append FORWARD --destination will --protocol tcp --destination-port 20 -j ACCEPT #iptables --append FORWARD --destination will --protocol tcp --destination-port 21 -j ACCEPT #iptables --append FORWARD --destination will --protocol tcp --destination-port 1040:1049 -j ACCEPT iptables --append FORWARD --destination bob-saget --protocol tcp --destination-port 80 -j ACCEPT #iptables --append FORWARD --destination $WILL --protocol tcp --destination-port 53 -j ACCEPT #iptables --append FORWARD --destination $WILL --protocol udp --destination-port 53 -j ACCEPT #iptables --append FORWARD --destination $WILL --protocol tcp --destination-port 8888 -j ACCEPT iptables --append FORWARD --destination joey-mousepad --protocol tcp --destination-port 22 -j ACCEPT iptables --append FORWARD --destination drama --protocol tcp --destination-port 22 -j ACCEPT iptables --append FORWARD --destination shauna --protocol tcp --destination-port 22 -j ACCEPT iptables --append FORWARD --destination dom --protocol tcp --destination-port 22 -j ACCEPT #iptables --append FORWARD --destination harvey --protocol tcp --destination-port 22 -j ACCEPT iptables --append FORWARD --destination $SHAUNA --protocol tcp --destination-port 80 -j ACCEPT iptables --append FORWARD --destination $SHAUNA --protocol tcp --destination-port 8888 -j ACCEPT iptables --append FORWARD --destination $SHAUNA --protocol tcp --destination-port 443 -j ACCEPT iptables --append FORWARD --destination $SHAUNA --protocol tcp --destination-port 8443 -j ACCEPT iptables --append FORWARD --destination $BOB_SAGET --protocol tcp --destination-port 8443 -j ACCEPT #iptables --append FORWARD --destination chuck-liddell --protocol tcp --destination-port 22 -j ACCEPT #iptables --append FORWARD --destination chuck-liddell --protocol tcp --destination-port 8000 -j ACCEPT # web server for http tunnelling #iptables --append FORWARD --destination chuck-liddell --protocol tcp --destination-port 8001 -j ACCEPT # web server for https tunnelling #iptables --append FORWARD --destination chuck-liddell --protocol tcp --destination-port 13 -j ACCEPT iptables --append FORWARD --destination becca --protocol tcp --destination-port 22 -j ACCEPT #iptables --append FORWARD --destination wally-balls --protocol tcp --destination-port 22 -j ACCEPT iptables --append FORWARD --destination $COMIC_CON --protocol tcp --destination-port 22 -j ACCEPT #iptables --append FORWARD --destination mrs-ari --protocol tcp --destination-port 22 -j ACCEPT #iptables --append FORWARD --destination kimmel-pa --protocol tcp --destination-port 22 -j ACCEPT #iptables --append FORWARD --destination cannes --protocol tcp --destination-port 22 -j ACCEPT #iptables --append FORWARD --destination its-the-cops --protocol tcp --destination-port 443 -j ACCEPT # VIP is the virtual IP address that corresponds to the load balancer. Items sent to this address will initially go to the load balancer, and then to one of the acutual workers. # We have three different VIP addresses, depending which machine is acting as a load balancer. # 192.168.1.10 is reserved for ben-doucette. This machine was our first load balancer, but it was deactivated long ago. # 192.168.1.11 is reserved for karen. This machine is to become the new primary load balancer. # 192.168.1.12 is reserved for shauna. This machine is to become a hot backup. #setenv VIP 192.168.1.11 #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8800 -j DNAT --to-destination $VIP #iptables --append FORWARD --destination $VIP --protocol tcp --destination-port 8800 -j ACCEPT #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8888 -j DNAT --to-destination $VIP # scottrade uses port 443. We send them to server.trade-ideas.com:443 # server.trade-ideas.com was $MAIN_EXTERNAL but we are migrating people to # $SCOTTRADE_HTTPS so we can do actual HTTPS on the main address. #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 443 -j DNAT --to-destination ${VIP}:8888 #iptables -t nat --append PREROUTING --destination $SCOTTRADE_HTTPS --protocol tcp --destination-port 443 -j DNAT --to-destination ${VIP}:8888 # silverlight port #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 4502 -j DNAT --to-destination ${VIP}:8888 #iptables --append FORWARD --destination $VIP --protocol tcp --destination-port 8888 -j ACCEPT # Always point a connection from Philip's house to the test server. There are other ways to reconfigure scottrade elite, but this seemed like the simplest at the time. #iptables -t nat --append PREROUTING --source 68.105.114.31 --destination $SCOTTRADE_HTTPS --protocol tcp --destination-port 443 -j DNAT --to-destination ${DICE}:8800 #e*trade test -- michael #iptables -t nat --append PREROUTING --source 76.176.3.16 --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8888 -j DNAT --to-destination ${DONBOT}:8800 #iptables --append FORWARD --destination donbot --protocol tcp --destination-port 8800 -j ACCEPT # New load balancer. Remove the virtual IP (VIP). Do it all here. iptables -t nat --new-chain ax_alert_server iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8888 -j ax_alert_server iptables -t nat --append PREROUTING --destination $SCOTTRADE_HTTPS --protocol tcp --destination-port 443 -j ax_alert_server iptables -t nat --append ax_alert_server -p tcp -m statistic --mode nth --every 4 --packet 0 -j DNAT --to-destination ${DAISY_MAE_128K}:8888 iptables -t nat --append ax_alert_server -p tcp -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination ${SINCLAIR_2K}:8888 iptables -t nat --append ax_alert_server -p tcp -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination ${DICE}:8888 iptables -t nat --append ax_alert_server -p tcp -m statistic --mode nth --every 1 --packet 0 -j DNAT --to-destination ${DANA}:8888 iptables --append FORWARD --destination daisy-mae-128k --protocol tcp --destination-port 8888 -j ACCEPT iptables --append FORWARD --destination sinclair-2k --protocol tcp --destination-port 8888 -j ACCEPT iptables --append FORWARD --destination dice --protocol tcp --destination-port 8888 -j ACCEPT iptables --append FORWARD --destination dana --protocol tcp --destination-port 8888 -j ACCEPT # Moved the test server to dice. It seemed that some things worked on chuck-liddell and amanda but failed on dice and dana. iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8800 -j DNAT --to-destination $DICE iptables --append FORWARD --destination $DICE --protocol tcp --destination-port 8800 -j ACCEPT # Load balancer for js_proxy_server # Lighttpd has a load balancer built into it, but I don't like the way it # works. Instead, when there's an SCGI request lighttpd will send it to # 127.0.0.1. We'll capture it here. We'll use a round robin scheduler to # forward it the to real server. # http://serverfault.com/questions/646522/port-forward-with-iptables explains # how to forward from the local machine to another machine. Most of our # forwarding rules: # 1) Work perfectly from the outside. # 2) Work from inside the firewall with just one small issue, the return # address is always the firewall, not the original machine. # 3) Do not work at all from a request initiated on the firewall. # This is not uncommon. Here's a summary of their suggestion: # 1) Change PREROUTING to OUTPUT when we capture the packet. # 2) Add a special SNAT rule so the return address won't be 127.0.0.1, so the # receiving process can send a packet back. # 3) Set route_localnet to 1. By default the packet generated by #1 and #2 # will look fishy and be thrown out. Disable that test. iptables -t nat --new-chain js_proxy_server iptables -t nat --append OUTPUT -o lo --protocol tcp --destination-port 4433 -j js_proxy_server iptables -t nat --append js_proxy_server -p tcp -m statistic --mode nth --every 4 --packet 0 -j DNAT --to-destination $Y2K iptables -t nat --append js_proxy_server -p tcp -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination $Y2K iptables -t nat --append js_proxy_server -p tcp -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination $DICE iptables -t nat --append js_proxy_server -p tcp -m statistic --mode nth --every 1 --packet 0 -j DNAT --to-destination $DANA iptables --append FORWARD --destination $Y2K --protocol tcp --destination-port 4433 -j ACCEPT iptables --append FORWARD --destination $DICE --protocol tcp --destination-port 4433 -j ACCEPT iptables --append FORWARD --destination $DANA --protocol tcp --destination-port 4433 -j ACCEPT iptables --table nat --append POSTROUTING --protocol tcp --destination-port 4433 --source 127.0.0.1 --destination 192.168.1.0/24 -j SNAT --to-source 192.168.1.1 echo 1 >/proc/sys/net/ipv4/conf/all/route_localnet # The new micro proxy. This is the new way to talk with the ti pro server, # the candle server, and possibly more. iptables -t nat --new-chain micro_proxy iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8844 -j micro_proxy iptables -t nat --append PREROUTING --destination $NEW_PROXY --protocol tcp --destination-port 443 -j micro_proxy iptables -t nat --append micro_proxy -p tcp -m statistic --mode nth --every 4 --packet 0 -j DNAT --to-destination ${DICE}:8844 iptables -t nat --append micro_proxy -p tcp -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination ${DANA}:8844 iptables -t nat --append micro_proxy -p tcp -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination ${DAISY_MAE_128K}:8844 iptables -t nat --append micro_proxy -p tcp -m statistic --mode nth --every 1 --packet 0 -j DNAT --to-destination ${SINCLAIR_2K}:8844 iptables --append FORWARD --destination $DICE --protocol tcp --destination-port 8844 -j ACCEPT iptables --append FORWARD --destination $DANA --protocol tcp --destination-port 8844 -j ACCEPT iptables --append FORWARD --destination $DAISY_MAE_128K --protocol tcp --destination-port 8844 -j ACCEPT iptables --append FORWARD --destination $SINCLAIR_2K --protocol tcp --destination-port 8844 -j ACCEPT iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9944 -j DNAT --to-destination ${DAISY_MAE_128K}:8844 iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9945 -j DNAT --to-destination ${SINCLAIR_2K}:8844 # Test version of the micro proxy. This can point to various other test # servers, as needed. iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8840 -j DNAT --to-destination ${BECCA}:8844 iptables --append FORWARD --destination $BECCA --protocol tcp --destination-port 8844 -j ACCEPT # Dev version of the micro proxy iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 18840 -j DNAT --to-destination ${BECCA}:8840 iptables --append FORWARD --destination $BECCA --protocol tcp --destination-port 8840 -j ACCEPT # Test micro proxy on donbot. One test server wasn't really quite enough. iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 18841 -j DNAT --to-destination ${DONBOT}:18840 iptables --append FORWARD --destination $DONBOT --protocol tcp --destination-port 18840 -j ACCEPT # Test micro proxy on morbo. Two test servers wasn't really quite enough. iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 18844 -j DNAT --to-destination ${MORBO}:8844 iptables --append FORWARD --destination $MORBO --protocol tcp --destination-port 8844 -j ACCEPT #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8844 -j DNAT --to-destination $BECCA #iptables -t nat --append PREROUTING --destination $NEW_PROXY --protocol tcp --destination-port 443 -j DNAT --to-destination ${BECCA}:8844 #iptables --append FORWARD --destination $BECCA --protocol tcp --destination-port 8844 -j ACCEPT # Force the normal ax_alert_server port to the test port, but only from my house. Useful for E*TRADE because there's no other way to get to the test server. # iptables -t nat --append PREROUTING --source 70.179.26.162 --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8888 -j DNAT --to-destination ${VIP}:8800 # Load testing for e*trade #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8437 -j DNAT --to-destination ${GURU}:8800 #now turn on forwarding in the kernel echo "1" > /proc/sys/net/ipv4/ip_forward # Tracking of throughput #iptables --append track_forwarding --source vince -j RETURN #iptables --append track_forwarding --destination vince -j RETURN #iptables --append track_forwarding --source e -j RETURN #iptables --append track_forwarding --destination e -j RETURN ### ### Lighttpd server ### ### For the most part, all web traffic comes to lighttpd. ### This will serve some simple static files as is. ### This will be a reverse proxy for all other trafic. ### The reverse proxy is helpful for a number of reasons. ### * We can break up the work between the marketing and development servers without the customer knowing or caring. ### * We can serve SCGI data from the same origin as the main page. ### * We can use fewer domain names for HTTPS. Each one costs a lot of money. ### ### This machine, kwanzaabot, is the default web server. ### Dice or dana could fill in. A cron script keeps them in sync. ### That could help with testing. ### # iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 80 -j DNAT --to-destination $DANA # iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 443 -j DNAT --to-destination $DANA iptables --append FORWARD --destination ${DICE} --protocol tcp --destination-port 80 -j ACCEPT iptables --append FORWARD --destination ${DANA} --protocol tcp --destination-port 80 -j ACCEPT iptables --append FORWARD --destination ${DICE} --protocol tcp --destination-port 443 -j ACCEPT iptables --append FORWARD --destination ${DANA} --protocol tcp --destination-port 443 -j ACCEPT iptables --append INPUT --protocol tcp --destination-port 80 -j ACCEPT iptables --append INPUT --protocol tcp --destination-port 443 -j ACCEPT # Sometimes used for testing. Never shared with anyone else. iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8081 -j DNAT --to-destination ${DICE}:80 iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 10000 -j DNAT --to-destination 192.168.1.226:80 ### ### New TIQ server. ### Currently named tiq2.trade-ideas.com ### iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9369 -j DNAT --to-destination ${BECCA}:9369 iptables --append FORWARD --destination ${BECCA} --protocol tcp --destination-port 9369 -j ACCEPT iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8369 -j DNAT --to-destination ${YAIR}:8369 iptables --append FORWARD --destination ${YAIR} --protocol tcp --destination-port 8369 -j ACCEPT # The candle server on becca. iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 1986 -j DNAT --to-destination ${BECCA}:1986 iptables --append FORWARD --destination ${BECCA} --protocol tcp --destination-port 1986 -j ACCEPT #iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 1986 -j DNAT --to-destination ${SINCLAIR_2K}:1986 iptables --append FORWARD --destination ${SINCLAIR_2K} --protocol tcp --destination-port 1986 -j ACCEPT