You are not logged in Log in Join
You are here: Home » Members » vernier » Debian » Webdav_NAT
Log in
Name

Password

 
Link icon Forgot your password?
 
Print

History for Webdav_NAT

??changed:
-
**Webdav NAT Redirection to inside Firewall**

**problem**:  The zope website is inside the firewall, and no-one can reach it via port 9800.  Redirection via apache (or the redirector object) work fine for rendered access, but source-link access was not happening.

**Possible Solutions:** first I listed all the options I could think of (and their negative attributes in parentheses):

- use **iptables** (initially could not get it to work)

- use Apache Redirect and !ProxyPass rules (not proper Webdav protocol; uses http only)

- use Redirection product (still no source-link access)

- use !ExternalFile product and FTP (untested by me)

- find a webdav client that understands **source-link** (i have not yet found one)

- use SQUID redirecting (bypasses my carefully thought-out apache redirecting rules )

- Use ZEO to replicate the Data.fs on the firewall (and lose the different zope instance on the firewall)

- Move the zope instance to the firewall (if all else failed)

- use SSH tunnelling (works only for individuals with accounts on both machines)

- Use Apache's **!BrowserMatch "WebDAVFS" redirect-carefully** (not sure how to use that or if it applies in this case) 

- install !WebdavLogger Product and study what is going on (i used tcpdump instead)

- add WEBDAV_SOURCE_PORT_CLIENTS="cadaver.*" to zope's shell environment (I did and it did not work and I would need to specify every webdav client type)

- tried webdav via regular zope port and **/document_src**  (it did not save changes)

**Solution**

My favorite solution is to use **iptables** and eventually I found the correct rules::

 iptables -t nat -A PREROUTING -i $OUTSIDE_IF -p tcp --dport 9800 -d DNAT --to $INSIDE_ZOPE_IP
 # usual rules for MASQUERADING and allowing ESTABLISHED.RELATED connections
 # from inside the LAN
 iptables -A FORWARD -d $INSIDE_ZOPE_IP -p tcp --dport 9800 -j ACCEPT

The last line is what I was missing ... 


**References**

- The posting that ultimately "solved my problem":http://www.spinics.net/lists/netfilter/msg14796.html
Copyright (c) 2011 Zope Foundation. All rights reserved. Legal | Contact
If you can read this text, it means you are not experiencing the Plone design at its best. Plone makes heavy use of CSS, which means it is accessible to any internet browser, but the design needs a standards-compliant browser to look like we intended it. Just so you know ;)