Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 08-27-2005, 12:51 PM   #1
Registered: Jun 2004
Location: France, UE
Distribution: Arch Linux, sometime others
Posts: 108

Rep: Reputation: 16
Thumbs up [IPTABLES] open ext access to web server on GW server

[SOLVED ! See last post]

Hi !

Have a Zope Web Server running fine on my LAN gateway/firewall PC,
But I found impossible to open access to this Web Server from outside the LAN

* Here is the LAN :

Static IP ethernet ADSL modem
[eth0] gateway/firewall PC with iptables & Zope Web Server [eth1]

gateway/firewall PC's /etc/hosts file is :
Code:                       localhost                       llewellyn
* Here is the IPTABLES rule that I thought would allow access to the Web Server on the gateway/firewall PC :
iptables -A INPUT -p tcp -i eth0 --dport [Server_Port] --sport 1024: \
  -m state --state NEW -j ACCEPT
Now, that server is awfully unaccessible from outside (many of my relatives were requested to give it a try )

Despites, I have full access to it from a LAN PC with public IP:PORT

I'm way too new to IPTABLES to analyze the logs but here's what i see when a guy tries to access the Web server :
Aug 26 20:59:31 llewellyn IN=eth0 OUT= MAC=00:40:f4:49:e6:3e:00:07:cb:02:3c:3e:08:00 
	LEN=40 TOS=0x00 PREC=0x00 TTL=102 ID=22867 DF PROTO=TCP
	WINDOW=64800 RES=0x00 ACK URGP=0
where 60.16.83.XXX is that guy's IP & 82.67.96.XX my static IP,
3442 that guy's source Port & XXXX the port my web server is listening to.

Any advice would be really appreciated

Last edited by kozaki; 08-27-2005 at 06:13 PM.
Old 08-27-2005, 04:05 PM   #2
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,547

Rep: Reputation: 160Reputation: 160
How do your OUTPUT rules look like? You need to allow the answers out.
Old 08-27-2005, 04:29 PM   #3
Registered: Jun 2004
Location: France, UE
Distribution: Arch Linux, sometime others
Posts: 108

Original Poster
Rep: Reputation: 16

Mara, of course yes !

Here it is (only changed length of lines) :
# Allow all bidirectional traffic from your firewall to the protected network
# - Interface eth1 is the private network interface

iptables -A INPUT   -j ACCEPT -p all -s -i eth1
iptables -A OUTPUT  -j ACCEPT -p all -d -o eth1

# -------------------------------------------------------------
# [4] Allowing WWW And SSH Access To Your Firewall
# -------------------------------------------------------------

# This sample snippet is for a firewall that doubles as a web server that is managed remotely by its system administrator via secure shell (SSH) sessions.
# Inbound packets destined for ports 80 and 22 are allowed thereby making the first steps in establishing a connection.
# It isn't necessary to specify these ports for the return leg as outbound packets for all established connections are allowed.
# Connections initiated by persons logged into the Web server will be denied as outbound NEW connection packets aren't allowed.

# Allow previously established connections
# - Interface eth0 is the internet interface

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
IPtables script source : Peter Harrison,

Wouldn't one think it is enough for my purpose (access to the server on Gateway)
Old 08-27-2005, 06:11 PM   #4
Registered: Jun 2004
Location: France, UE
Distribution: Arch Linux, sometime others
Posts: 108

Original Poster
Rep: Reputation: 16

This double instruction (OUTPUT authorized for Established,Related & INPUT for New) should have been sufficient, isn't it ?

Allllllllright I found an *intéressant* script for configuring / debugging IPtables: Arno's IPtables-firewall
Now the Web Server is open (and others rules that worked fine are still there .
Plus, this script really make it much more easier for editing IPtables, and print easy-to-read Logs
Aug 28 02:08:47 gateway Connection attempt (UNPRIV): IN=eth0 OUT= MAC=... SRC=222.141.102.X DST=82.67.96.XX LEN=500 TOS=0x00 PREC=0x00 TTL=39 ID=0 DF PROTO=UDP SPT=44091 DPT=1026 LEN=480
Aug 28 02:08:48 gateway Connection attempt (PRIV): IN=eth0 OUT= MAC=... SRC=82.67.133.XXX DST=82.67.96.XX LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=36772 DF PROTO=TCP SPT=3294 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES How to access to web server on gateway from LAN? kozaki Linux - Networking 4 08-26-2005 12:27 PM
can we configure a Linux server with mail server,file server and web server kumarx Linux - Newbie 5 09-09-2004 07:21 AM
web server,dmz,iptables puding Linux - Networking 7 08-10-2004 03:48 PM
iptables does not allow me to access internal web server. JawjLindo Linux - Security 2 11-10-2003 03:23 PM
Can't access Linux web server web pages from LAN client jaydave Linux - Networking 4 03-16-2003 03:38 AM

All times are GMT -5. The time now is 02:00 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration