FrontPage
»
WebLog
»
Webdav_NAT
Webdav NAT Redirection to inside Firewall
problem: The zope website is inside the firewall, and no-one can reach it via port 9800. Redirection via apache (or the redirector object) work fine for rendered access, but source-link access was not happening.
Possible Solutions: first I listed all the options I could think of (and their negative attributes in parentheses):
- use iptables (initially could not get it to work)
- use Apache Redirect and ProxyPass rules (not proper Webdav protocol; uses http only)
- use Redirection product (still no source-link access)
- use ExternalFile product and FTP (untested by me)
- find a webdav client that understands source-link (i have not yet found one)
- use SQUID redirecting (bypasses my carefully thought-out apache redirecting rules )
- Use ZEO to replicate the Data.fs on the firewall (and lose the different zope instance on the firewall)
- Move the zope instance to the firewall (if all else failed)
- use SSH tunnelling (works only for individuals with accounts on both machines)
- Use Apache's BrowserMatch "WebDAVFS" redirect-carefully (not sure how to use that or if it applies in this case)
- install WebdavLogger Product and study what is going on (i used tcpdump instead)
- add WEBDAV_SOURCE_PORT_CLIENTS="cadaver.*" to zope's shell environment (I did and it did not work and I would need to specify every webdav client type)
- tried webdav via regular zope port and /document_src (it did not save changes)
Solution
My favorite solution is to use iptables and eventually I found the correct rules:
iptables -t nat -A PREROUTING -i $OUTSIDE_IF -p tcp --dport 9800 -d DNAT --to $INSIDE_ZOPE_IP # usual rules for MASQUERADING and allowing ESTABLISHED.RELATED connections # from inside the LAN iptables -A FORWARD -d $INSIDE_ZOPE_IP -p tcp --dport 9800 -j ACCEPT
The last line is what I was missing ...
References
- The posting that ultimately solved my problem