Apache and DNS Behind the NATED firewall

This is what i did to setup Apache and DNS behind the NATED Server/ Router


Linux Box as Router

Author: Varinder Singh [varin312@gmail.com] January 13, 2010


Hardware Modification


Installed one more Network card. (One is already onboard in the system)


Eth0- Internet (DSL Modem) (Network

Eth1-> Internal Network (Network


Software configuration


By default the NICs are controlled by NetworkManager service. NetworkManger service only effective while the user logged in through GUI. And for Linux router I wont prefer to login via GUI or even GUI installed. So we have to stop the NetworkManager service and start the “network” service. Below are the command to do that


#service NetworkManager stop

#chkconfig NetworkManager off


#service network start

#chkconfig network on


Editing the configuration files for NICs


Now we have to configure the NIC. I find two ways to do that


  1. Via GUI. System->
  2. Manually edit the files /etc/sysconfig/network-scripts/ifgcfg-ethx for NICs


I preferred the first option via GUI (I am thinking I will remove the GUI after everything is fine)


After editing the configuration files for NICs


#service network restart


Make IP forwarding ON


Open the file /etc/sysctl.conf and change the value of net.ip_forwarding peramteres to 1 from 0. It will looks like given below


Ip_forward = 1


Run the following command to make changes in kernel for IP farwarding

#sysctl –p


To do packet forwarding we have to activate NATing


#iptables –t nat –A POSTROUTING –o eth0 –j MASQUERADE

#iptables –append FORWARD –in-interface eth1 -j ACCEPT


#service iptables save






Client Side testing


ON THE CLIENT (internal Network Machine) I did the following


#service NetworkManager stop

#service network start


Configure the NIC on Client with IP


#ifconfig eth0




Configure the DHCP server on the router


#yum install dhcp


#vim /etc/dhcpd.conf



# DHCP Server Configuration file.

# see /usr/share/doc/dhcp*/dhcpd.conf.sample

# see ‘man 5 dhcpd.conf’



ddns-update-style interim;

ignore client-updates;



subnet netmask {

option routers;

option subnet-mask;

option domain-name “meapay.com”;

option broadcast-address;

option domain-name-servers,;

range dynamic-bootp;

default-lease-time 86400;

max-lease-time 172800;


subnet netmask {



host ns{

hardware ethernet 00:13:D3:FB:66:90;







Home Wireless router settings


  1. Disable DHCP in the settings of your Router.
  2. Change IP of that as according to your Network.





DNS server setup


#vim /etc/named.conf




// named.conf


// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).


// See /usr/share/doc/bind*/sample/ for example named configuration files.



options {

listen-on port 53 { any; }; //changed from to any

listen-on-v6 port 53 { ::1; };

directory “/var/named”;

dump-file “/var/named/data/cache_dump.db”;

statistics-file “/var/named/data/named_stats.txt”;

memstatistics-file “/var/named/data/named_mem_stats.txt”;

allow-query { any; }; //changed to any

recursion yes;

dnssec-enable yes;

dnssec-validation yes;

dnssec-lookaside . trust-anchor dlv.isc.org.;



logging {

channel default_debug {

file “data/named.run”;

severity dynamic;




zone “.” IN {

type hint;

file “named.ca”;



include “/etc/named.rfc1912.zones”;


zone “meapay.com” IN { //declaration of forward and reverse zone files

type master;

file “meapay.db”;


zone “0.16.172.in-addr.arpa” IN {

type master;

file “172.16.0.db”;



include “/etc/pki/dnssec-keys//named.dnssec.keys”;

include “/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf”;




#vim /etc/named/meapay.db



@ IN SOA ns.meapay.com. root.ns.meapay.com. (

1 ;serial

1D ;refresh

1H ;retry

1W ;expire

3H ) ;minimum


NS ns.meapay.com.

ns.meapay.com. A




#vim /etc/named/172.16.0.db



@ IN SOA ns.meapay.com. root.meapay.com. (

0 ;serial

1D ;refresh

1H ;retry

1W ;expire

3H ) ;minimum


NS ns.meapay.com. PTR ns.meapay.com.

; PTR station88.meapay.com.

; PTR station99.meapay.com.

; PTR station11.meapay.com.



#iptables -I INPUT -m state –state NEW -m tcp -p tcp –dport 53 -j ACCEPT

#iptables -I INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
#service iptables save

Athour Varinder Singh, Harpinder Singh (Waked up)

Date March 27, 2010 (3:25 AM )



Port Forwarding on Linux Firewall (Router) for Apache



DNAT the Packets destined for port 80 at router to be forwarded to Apache at port 8080


iptables -t nat -A PREROUTING -p tcp -i eth0 -d xx.xx.xx.xx(Real IP of my Router by ISP) –dport 80 –sport 1024:65535 -j DNAT –to


After DNAT Forwarded Packets to Apache must be allowed by the firewall



iptables -A FORWARD -p tcp -i eth0 -o eth1 -d –dport 8080 –sport 1024:65535 -m state –state NEW -j ACCEPT


iptables -A FORWARD -t filter -o eth0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT


iptables -A FORWARD -t filter -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT



There is lot of room to improve it. Please comment if you find errors. I will try to correct


Reference: http://www.Linuxhomenetworking.com


4 Comments on “Apache and DNS Behind the NATED firewall”

  1. […] Adres URL: Apache and DNS Behind the NATED firewall « Varinder Singh […]

  2. […] This post was mentioned on Twitter by IT Blog Network, Planet CDOT. Planet CDOT said: Varinder Singh: Apache and DNS Behind the NATED firewall: This is what i did to setup Apache and DNS behind the … http://bit.ly/gR2tib […]

  3. […] (to access Internet) How to setup your own DNS and DHCP server. Please read the post on my blog https://varinderjhand.wordpress.com/2…ated-firewall/ I hope it will […]

  4. […] body knows what is not working. I have tried the similar thing and posted on my blog. Here is link DNS and Apache behind NATED firewall . It may be little different, but you can have idea. Hope it […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s