Advanced Iptables Issue
Migrating my old FreeBSD Router to Linux, Having some issues with the iptables firewall.
The box is connected to the net through ppp0 (dynamic IP) and to the lan with eth0 (192.168.0.45). All boxes on the network is connected directly to the switch, and this box serves as the gateway for them all. The internal webserver is 192.168.0.254. I have 2 problems: [list=1][*]When I change my 'FORWARD' policy to 'DROP' instead of ACCEPT as I think it should be...the http forwarding doesn't work anymore. What rule do I need to add afterwards so the http requests still go through etc?[*]The port 80 / http forwarding works perfectly when trying to http to 192.168.0.45 from the internal network, however, from outside trying to http to ppp0's ip address, it doesn't work. Why not, and how can I make it?[/list=1] This is my current firewall: Code:
IPTABLES=/sbin/iptables |
Look at your last three rules. This is what your basically saying:
If it an HTTP request comes in form the outside. Change its destination address to 192.168.0.254. Then allow it through the FORWARD table. Then heres the error: Change the source address to 192.168.0.45. SO basically the webserver will get the packet but will send it back destined to your router and not the external client. Just erase or comment out the last line. When the packets are sent pack from the webserver your default SNAT will take care of it just as if it was another PC on the LAN trying to talk to the outside. --tarballedtux |
I have tried that, but, without it, the forwarding doesn't work. Anything else that I might have done wrong or missed?
I've tried putting the webserver's gateway on both 192.168.0.45 and totally removing it. Without that rule neither eth0 or ppp0's forwarding works. Thanks |
What I am saying is erase that final rule. There is no reason for it.
--tarballedtux |
# Make responses on the internal network go through the firewall
iptables -t nat -A POSTROUTING -p tcp -d $WEBSERVER --dport 80 -j SNAT --to-source $INTIP yea this rule is shady, it says: before a packet leaves this gateway.... If the protocol is TCP and destination is the webserver:80, change the SOURCE address of this packet to the address of the router (the machine the packet is leaving in the 1st place). what this does is make your webserver think that each hit is comming from the Router, so If I were to hit you webserver (or try) with my IP being something like 128.61.34.256, I wouldn't get a replay back because your webserver will send the reply back to 192.168.0.45, and then the router will probably just drop it. It would never come back to me. It's kinda like this: Your mom gives your dad 10 bucks to give to you. And you mom says "tell him its from me". Your dad then gives you the money and says "here son, this 10 bucks is from me". Now you thank your dad instead of you mom who really gave you the money and you mom never hears back from you about the 10 bucks because u already thanked your dad and she's out of the loop.... in that analogy, your mom is the client making the request, your dad is the router, and you are the webserver. (i have a habbit of making analogies all the time) |
aaarrrgghhhhhh!
Okay...It's *still* not working and I've read up everything I could find on iptables/netfilter by now. It is changed though. But it still doesn't forward http requests at all.
The webserver's gateway is set to the firewall box's ip, and the webserver isn't running any firewall or nat software at all. This is what it looks like at the moment: Code:
#!/sbin/runscript |
All times are GMT -5. The time now is 09:51 AM. |