LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-27-2005, 12:51 PM   #1
kozaki
Member
 
Registered: Jun 2004
Location: France, UE
Distribution: Arch Linux, Mandriva x86_64, Knoppix (Kaella), Ubuntu, ...
Posts: 97

Rep: Reputation: 16
Thumbs up [IPTABLES] open ext access to web server on GW server


[SOLVED ! See last post]

Hi !

Have a Zope Web Server running fine on my LAN gateway/firewall PC,
But I found impossible to open access to this Web Server from outside the LAN

* Here is the LAN :

Static IP ethernet ADSL modem
|
|
[eth0] gateway/firewall PC with iptables & Zope Web Server [eth1]
|
|
LAN

gateway/firewall PC's /etc/hosts file is :
Code:
127.0.0.1                       localhost
127.0.0.1                       llewellyn
* Here is the IPTABLES rule that I thought would allow access to the Web Server on the gateway/firewall PC :
Code:
iptables -A INPUT -p tcp -i eth0 --dport [Server_Port] --sport 1024: \
  -m state --state NEW -j ACCEPT
Now, that server is awfully unaccessible from outside (many of my relatives were requested to give it a try )

Despites, I have full access to it from a LAN PC with public IP:PORT

I'm way too new to IPTABLES to analyze the logs but here's what i see when a guy tries to access the Web server :
Code:
Aug 26 20:59:31 llewellyn IN=eth0 OUT= MAC=00:40:f4:49:e6:3e:00:07:cb:02:3c:3e:08:00 
	SRC=60.16.83.XXX
	DST=82.67.96.XX
	LEN=40 TOS=0x00 PREC=0x00 TTL=102 ID=22867 DF PROTO=TCP
	SPT=3442
	DPT=XXXX
	WINDOW=64800 RES=0x00 ACK URGP=0
where 60.16.83.XXX is that guy's IP & 82.67.96.XX my static IP,
and
3442 that guy's source Port & XXXX the port my web server is listening to.


Any advice would be really appreciated

Last edited by kozaki; 08-27-2005 at 06:13 PM.
 
Old 08-27-2005, 04:05 PM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,539

Rep: Reputation: 149Reputation: 149
How do your OUTPUT rules look like? You need to allow the answers out.
 
Old 08-27-2005, 04:29 PM   #3
kozaki
Member
 
Registered: Jun 2004
Location: France, UE
Distribution: Arch Linux, Mandriva x86_64, Knoppix (Kaella), Ubuntu, ...
Posts: 97

Original Poster
Rep: Reputation: 16
Arrow

Mara, of course yes !

Here it is (only changed length of lines) :
Code:
#---------------------------------------------------------------
# Allow all bidirectional traffic from your firewall to the protected network
# - Interface eth1 is the private network interface
#---------------------------------------------------------------

iptables -A INPUT   -j ACCEPT -p all -s 192.168.0.0/24 -i eth1
iptables -A OUTPUT  -j ACCEPT -p all -d 192.168.0.0/24 -o eth1


# -------------------------------------------------------------
# [4] Allowing WWW And SSH Access To Your Firewall
# -------------------------------------------------------------

# This sample snippet is for a firewall that doubles as a web server that is managed remotely by its system administrator via secure shell (SSH) sessions.
# Inbound packets destined for ports 80 and 22 are allowed thereby making the first steps in establishing a connection.
# It isn't necessary to specify these ports for the return leg as outbound packets for all established connections are allowed.
# Connections initiated by persons logged into the Web server will be denied as outbound NEW connection packets aren't allowed.

#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
  -j ACCEPT
IPtables script source : Peter Harrison, www.linuxhomenetworking.com

Wouldn't one think it is enough for my purpose (access to the server on Gateway)
 
Old 08-27-2005, 06:11 PM   #4
kozaki
Member
 
Registered: Jun 2004
Location: France, UE
Distribution: Arch Linux, Mandriva x86_64, Knoppix (Kaella), Ubuntu, ...
Posts: 97

Original Poster
Rep: Reputation: 16
Talking

This double instruction (OUTPUT authorized for Established,Related & INPUT for New) should have been sufficient, isn't it ?

Allllllllright I found an *intéressant* script for configuring / debugging IPtables: Arno's IPtables-firewall
Now the Web Server is open (and others rules that worked fine are still there .
Plus, this script really make it much more easier for editing IPtables, and print easy-to-read Logs
Quote:
Aug 28 02:08:47 gateway Connection attempt (UNPRIV): IN=eth0 OUT= MAC=... SRC=222.141.102.X DST=82.67.96.XX LEN=500 TOS=0x00 PREC=0x00 TTL=39 ID=0 DF PROTO=UDP SPT=44091 DPT=1026 LEN=480
Aug 28 02:08:48 gateway Connection attempt (PRIV): IN=eth0 OUT= MAC=... SRC=82.67.133.XXX DST=82.67.96.XX LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=36772 DF PROTO=TCP SPT=3294 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES How to access to web server on gateway from LAN? kozaki Linux - Networking 4 08-26-2005 12:27 PM
can we configure a Linux server with mail server,file server and web server kumarx Linux - Newbie 5 09-09-2004 07:21 AM
web server,dmz,iptables puding Linux - Networking 7 08-10-2004 03:48 PM
iptables does not allow me to access internal web server. JawjLindo Linux - Security 2 11-10-2003 03:23 PM
Can't access Linux web server web pages from LAN client jaydave Linux - Networking 4 03-16-2003 03:38 AM


All times are GMT -5. The time now is 04:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration