Webdav_NAT

Webdav NAT Redirection to inside Firewall

problem: The zope website is inside the firewall, and no-one can reach it via port 9800. Redirection via apache (or the redirector object) work fine for rendered access, but source-link access was not happening.

Possible Solutions: first I listed all the options I could think of (and their negative attributes in parentheses):

• use iptables (initially could not get it to work)
• use Apache Redirect and ProxyPass rules (not proper Webdav protocol; uses http only)
• use Redirection product (still no source-link access)
• use ExternalFile product and FTP (untested by me)
• find a webdav client that understands source-link (i have not yet found one)
• use SQUID redirecting (bypasses my carefully thought-out apache redirecting rules )
• Use ZEO to replicate the Data.fs on the firewall (and lose the different zope instance on the firewall)
• Move the zope instance to the firewall (if all else failed)
• use SSH tunnelling (works only for individuals with accounts on both machines)
• Use Apache's BrowserMatch "WebDAVFS" redirect-carefully (not sure how to use that or if it applies in this case)
• install WebdavLogger Product and study what is going on (i used tcpdump instead)
• add WEBDAV_SOURCE_PORT_CLIENTS="cadaver.*" to zope's shell environment (I did and it did not work and I would need to specify every webdav client type)
• tried webdav via regular zope port and /document_src (it did not save changes)

Solution

My favorite solution is to use iptables and eventually I found the correct rules:

 iptables -t nat -A PREROUTING -i $OUTSIDE_IF -p tcp --dport 9800 -d DNAT --to $INSIDE_ZOPE_IP
 # usual rules for MASQUERADING and allowing ESTABLISHED.RELATED connections
 # from inside the LAN
 iptables -A FORWARD -d $INSIDE_ZOPE_IP -p tcp --dport 9800 -j ACCEPT

The last line is what I was missing ...

References

• The posting that ultimately solved my problem