Next: , Previous: , Up: Use cases   [Contents][Index]

6.2 Configuration behind a firewall

This configuration is needed when you cannot install mediatex on the router of your private network (the bellow configuration cannot serves collections hosted on the true gateway as ssh/config file cannot handle 2 ports for the same hostname).

Mediatex must be configured as if it was hosted on the gateway.


host     GW
mdtxPort 6562
sshPort  2222
wwwPort  4443

iptables rules for GATEWAY:

-t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to $HOST:22
-t nat -A PREROUTING -p tcp --dport 4443 -j DNAT --to $HOST:443
-t nat -A PREROUTING -p tcp --dport 6562 -j DNAT --to $HOST:6562
-A FORWARD -i $WWW_NET -o $LOCAL_NET -p tcp --dport 22 -j ACCEPT
-A FORWARD -i $WWW_NET -o $LOCAL_NET -p tcp --dport 443 -j ACCEPT
-A FORWARD -i $WWW_NET -o $LOCAL_NET -p tcp --dport 6562 -j ACCEPT

Locally if your server own collections, you will have to skip the gateway. (GW must match the gateway’s IP address on the WWW_NET interface)

iptables rules for HOST:

-t nat -A OUTPUT -p tcp -d $GW --dport 2222 -j DNAT --to $HOST:22
-t nat -A OUTPUT -p tcp -d $GW --dport 4443 -j DNAT --to $HOST:443
-t nat -A OUTPUT -p tcp -d $GW --dport 6561 -j DNAT --to $HOST:6561


# force https
RewriteEngine On
RewriteCond %{SERVER_PORT} !^4443$
RewriteCond %{SERVER_PORT} !^443$
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]