Linux - Laptop and NetbookHaving a problem installing or configuring Linux on your laptop? Need help running Linux on your netbook? This forum is for you. This forum is for any topics relating to Linux and either traditional laptops or netbooks (such as the Asus EEE PC, Everex CloudBook or MSI Wind).
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to host a web server on 10.0.10.6 from my internal LAN to be accessible from outside my LAN (the internet) via port 80.
I am assuming I need to forward port 80 on my gateway to port 80 in my internal web server. (please correct me if I am wrong or if I have any other option).
I run the following commands on my gateway to forward and NAT both incoming and outgoing traffic to my web server but I still can't reach my web server from outside.
You should have more rules or at least setup the default profile to drop for safety reasons.
If your external IP is a DHCP address you should use MASQUERADE on the outbound rule.
You should stick to one format for your rules for example;
Code:
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m tcp -i eth0 --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j DNAT --to-destination 10.0.10.6
iptables -t nat -A POSTROUTING -p tcp -m tcp -o eth0 -j SNAT --to-source <External IP Address>
My reason for more rules or default to drop is you are open and if this box has any ports open they are also open to the internet.
A rule set I would suggest the following:
Code:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j DNAT --to-destination 10.0.10.6
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -p tcp -m tcp -i eth0 --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables -A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
Mind you the last OUTPUT rules is not really required but it comes in handy when you are check your connections as it will list all your outbound connections in the db. The above allows everything out no matter where it is coming from on the inside and only allows new connections from the internet to your web server. This is very useful for when you do updates so that the server can request the updates from the repos while blocking all new connection from the internet.
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
43 9205 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
1 328 ACCEPT udp -- eth1 any anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
17 1188 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
1 52 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain
180 27964 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6479 3665K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
1311 152K ACCEPT all -- eth1 any anywhere anywhere ctstate NEW
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:http ctstate NEW
20 860 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 58 packets, 4366 bytes)
pkts bytes target prot opt in out source destination
180 33653 ACCEPT all -- any any anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
I just added few more rules to open ports for DNS and DHCP internally. Should have no effect on the NAT and FORWARD rules whatsoever. Different tables😜
Not yet. I have now noticed telnet works for some ports from outside and dosen't work for others including port 80, telling me there's a firewall on the EPON that connects to the ISP that is blocking some incoming traffic and is turned on by default. I am looking to get support from my ISP in the next few days.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.