This configuration is needed when you cannot install mediatex on the router of your private network (the bellow configuration cannot serves collections hosted on the true gateway as ssh/config file cannot handle 2 ports for the same hostname).
Mediatex must be configured as if it was hosted on the gateway.
/etc/mediatex/mdtx.conf:
host GW mdtxPort 6562 sshPort 2222 wwwPort 4443
iptables
rules for GATEWAY:
-t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to $HOST:22 -t nat -A PREROUTING -p tcp --dport 4443 -j DNAT --to $HOST:443 -t nat -A PREROUTING -p tcp --dport 6562 -j DNAT --to $HOST:6562 -A FORWARD -i $WWW_NET -o $LOCAL_NET -p tcp --dport 22 -j ACCEPT -A FORWARD -i $WWW_NET -o $LOCAL_NET -p tcp --dport 443 -j ACCEPT -A FORWARD -i $WWW_NET -o $LOCAL_NET -p tcp --dport 6562 -j ACCEPT
Locally if your server own collections, you will have to skip the gateway. (GW must match the gateway’s IP address on the WWW_NET interface)
iptables
rules for HOST:
-t nat -A OUTPUT -p tcp -d $GW --dport 2222 -j DNAT --to $HOST:22 -t nat -A OUTPUT -p tcp -d $GW --dport 4443 -j DNAT --to $HOST:443 -t nat -A OUTPUT -p tcp -d $GW --dport 6561 -j DNAT --to $HOST:6561
~mdtx-coll/public_html/.htaccess
# force https RewriteEngine On RewriteCond %{SERVER_PORT} !^4443$ RewriteCond %{SERVER_PORT} !^443$ RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]