[IPTABLES] open ext access to web server on GW server

kozaki · 08-27-2005, 11:51 AM

[SOLVED ! See last post]

Hi !

Have a Zope Web Server running fine on my LAN gateway/firewall PC,
But I found impossible to open access to this Web Server from outside the LAN

* Here is the LAN :

Static IP ethernet ADSL modem
|
|
[eth0] gateway/firewall PC with iptables & Zope Web Server [eth1]
|
|
LAN

gateway/firewall PC's /etc/hosts file is :

Code:

127.0.0.1                       localhost
127.0.0.1                       llewellyn

* Here is the IPTABLES rule that I thought would allow access to the Web Server on the gateway/firewall PC :

Code:

iptables -A INPUT -p tcp -i eth0 --dport [Server_Port] --sport 1024: \
  -m state --state NEW -j ACCEPT

Now, that server is awfully unaccessible from outside (many of my relatives were requested to give it a try

)

Despites, I have full access to it from a LAN PC with public IP:PORT

I'm way too new to IPTABLES to analyze the logs

but here's what i see when a guy tries to access the Web server :

Code:

Aug 26 20:59:31 llewellyn IN=eth0 OUT= MAC=00:40:f4:49:e6:3e:00:07:cb:02:3c:3e:08:00 
	SRC=60.16.83.XXX
	DST=82.67.96.XX
	LEN=40 TOS=0x00 PREC=0x00 TTL=102 ID=22867 DF PROTO=TCP
	SPT=3442
	DPT=XXXX
	WINDOW=64800 RES=0x00 ACK URGP=0

where 60.16.83.XXX is that guy's IP & 82.67.96.XX my static IP,
and
3442 that guy's source Port & XXXX the port my web server is listening to.

Any advice would be really appreciated

Mara · 08-27-2005, 03:05 PM

How do your OUTPUT rules look like? You need to allow the answers out.

kozaki · 08-27-2005, 03:29 PM

Mara, of course yes !

Here it is (only changed length of lines) :

Code:

#---------------------------------------------------------------
# Allow all bidirectional traffic from your firewall to the protected network
# - Interface eth1 is the private network interface
#---------------------------------------------------------------

iptables -A INPUT   -j ACCEPT -p all -s 192.168.0.0/24 -i eth1
iptables -A OUTPUT  -j ACCEPT -p all -d 192.168.0.0/24 -o eth1


# -------------------------------------------------------------
# [4] Allowing WWW And SSH Access To Your Firewall
# -------------------------------------------------------------

# This sample snippet is for a firewall that doubles as a web server that is managed remotely by its system administrator via secure shell (SSH) sessions.
# Inbound packets destined for ports 80 and 22 are allowed thereby making the first steps in establishing a connection.
# It isn't necessary to specify these ports for the return leg as outbound packets for all established connections are allowed.
# Connections initiated by persons logged into the Web server will be denied as outbound NEW connection packets aren't allowed.

#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
  -j ACCEPT

IPtables script source : Peter Harrison, www.linuxhomenetworking.com

Wouldn't one think it is enough for my purpose (access to the server on Gateway)

kozaki · 08-27-2005, 05:11 PM

This double instruction (OUTPUT authorized for Established,Related & INPUT for New) should have been sufficient, isn't it ?

Allllllllright I found an *intéressant* script for configuring / debugging IPtables: Arno's IPtables-firewall
Now the Web Server is open (and others rules that worked fine are still there

.
Plus, this script really make it much more easier for editing IPtables, and print easy-to-read Logs

Quote:

Aug 28 02:08:47 gateway Connection attempt (UNPRIV): IN=eth0 OUT= MAC=... SRC=222.141.102.X DST=82.67.96.XX LEN=500 TOS=0x00 PREC=0x00 TTL=39 ID=0 DF PROTO=UDP SPT=44091 DPT=1026 LEN=480
Aug 28 02:08:48 gateway Connection attempt (PRIV): IN=eth0 OUT= MAC=... SRC=82.67.133.XXX DST=82.67.96.XX LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=36772 DF PROTO=TCP SPT=3294 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=