Just discovered something very interesting. I had all my websites setup on my machine with IP-based virtual hosts (i.e. ) and was trying to use wildcards (*:80) and it just wasn’t working right the way I wanted it to, because I wanted some sites restricted to a certain IP, and others that would respond to the dynamic IP of my cable provider. Just for kicks I tried something with shorewall that actually worked quite nicely.

In shorewall, you can write a rule like:

DNAT net loc: tcp http -

which takes an incoming http connection to the firewall and forwards it to the appropriate IP ( in this case) in the “loc” (local) zone. So I tried the same thing except the IP wasn’t an external machine.

For instance, eth0 is connected to the internet and gets a dynamic IP via DHCP. eth1 is connected to my internal network, similar to the firewall. It also runs shorewall. So I made eth1:0 an IP on the local network (say, Then I have a rule that does:

DNAT net net: tcp http -

This takes the http traffic coming in from the network on port 80 and redirects it to port (or incoming port 80 on eth0 to eth1:0).

Works like a champ! This way I can configure apache to use , and never need to change anything if the external IP changes because it only listens on that IP, and shorewall will take care of the forwarding (and it doesn’t care what the IP on eth0 is).

I’m sure someone has come up with this before, but I was goofing around and came up with this and it worked so figured I’d share as this is much easier to manage than using wildcard addressing, particularly if you want to use https in there as well (anyone who was connecting earlier tonight probably got an XML download instead of a web page, and for that you have my apologies).

Share on: TwitterLinkedIn




Stay in touch