LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Advanced Iptables Issue (https://www.linuxquestions.org/questions/linux-networking-3/advanced-iptables-issue-86031/)

Seather 08-26-2003 05:32 PM
Advanced Iptables Issue
 
Migrating my old FreeBSD Router to Linux, Having some issues with the iptables firewall.

The box is connected to the net through ppp0 (dynamic IP) and to the lan with eth0 (192.168.0.45). All boxes on the network is connected directly to the switch, and this box serves as the gateway for them all. The internal webserver is 192.168.0.254.

I have 2 problems:
[list=1][*]When I change my 'FORWARD' policy to 'DROP' instead of ACCEPT as I think it should be...the http forwarding doesn't work anymore. What rule do I need to add afterwards so the http requests still go through etc?[*]The port 80 / http forwarding works perfectly when trying to http to 192.168.0.45 from the internal network, however, from outside trying to http to ppp0's ip address, it doesn't work. Why not, and how can I make it?[/list=1]

This is my current firewall:

Code:
IPTABLES=/sbin/iptables
EXTIF="ppp0"
INTIF="eth0"
IFCONFIG=/sbin/ifconfig
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
WEBSERVER="192.168.0.254"

printf "\nExternal Interface:  $EXTIF\nInternal Interface:  $INTIF\n\n"

#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
echo "Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users:
#
#  If you get your IP address dynamically from SLIP, PPP, or DHCP,
#  enable this following option.  This enables dynamic-address hacking
#  which makes the life with Diald and similar programs much easier.
#
echo "Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Set external IP Var
INTIP="192.168.0.45"
echo "Internal ip is $INTIP"

#Clearing any previous configuration
#
#  Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
#    The default for FORWARD is DROP (REJECT is not a valid policy)
#
echo "Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo "FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE


# This is for forwarding http requests to the webserver.
# It's still kind off dodgy, but it works at the moment so thats good.
#
echo "Forwarding all http requests to $WEBSERVER"
# Forward packets coming in from the outside
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $WEBSERVER:80

# Allow forwarded packets
iptables -A FORWARD -p tcp --dport 80 -d $WEBSERVER -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Make responses on the internal network go through the firewall
iptables -t nat -A POSTROUTING -p tcp -d $WEBSERVER --dport 80 -j SNAT --to-source $INTIP
Thanks!

tarballedtux 08-26-2003 09:21 PM
Look at your last three rules. This is what your basically saying:

If it an HTTP request comes in form the outside. Change its destination address to 192.168.0.254. Then allow it through the FORWARD table. Then heres the error: Change the source address to 192.168.0.45. SO basically the webserver will get the packet but will send it back destined to your router and not the external client. Just erase or comment out the last line. When the packets are sent pack from the webserver your default SNAT will take care of it just as if it was another PC on the LAN trying to talk to the outside.


--tarballedtux

Seather 08-27-2003 03:37 AM
I have tried that, but, without it, the forwarding doesn't work. Anything else that I might have done wrong or missed?

I've tried putting the webserver's gateway on both 192.168.0.45 and totally removing it. Without that rule neither eth0 or ppp0's forwarding works.

Thanks

tarballedtux 08-27-2003 06:33 PM
What I am saying is erase that final rule. There is no reason for it.


--tarballedtux

Robert0380 08-27-2003 11:57 PM
# Make responses on the internal network go through the firewall
iptables -t nat -A POSTROUTING -p tcp -d $WEBSERVER --dport 80 -j SNAT --to-source $INTIP


yea this rule is shady, it says:

before a packet leaves this gateway....
If the protocol is TCP and destination is the webserver:80,

change the SOURCE address of this packet to the address of the router (the machine the packet is leaving in the 1st place).

what this does is make your webserver think that each hit is comming from the Router, so If I were to hit you webserver (or try) with my IP being something like 128.61.34.256, I wouldn't get a replay back because your webserver will send the reply back to 192.168.0.45, and then the router will probably just drop it. It would never come back to me.

It's kinda like this:

Your mom gives your dad 10 bucks to give to you. And you mom says "tell him its from me". Your dad then gives you the money and says "here son, this 10 bucks is from me". Now you thank your dad instead of you mom who really gave you the money and you mom never hears back from you about the 10 bucks because u already thanked your dad and she's out of the loop....

in that analogy, your mom is the client making the request, your dad is the router, and you are the webserver.

(i have a habbit of making analogies all the time)

Seather 08-30-2003 07:09 AM
aaarrrgghhhhhh!
 
Okay...It's *still* not working and I've read up everything I could find on iptables/netfilter by now. It is changed though. But it still doesn't forward http requests at all.

The webserver's gateway is set to the firewall box's ip, and the webserver isn't running any firewall or nat software at all.

This is what it looks like at the moment:

Code:
#!/sbin/runscript

IPTABLES=/sbin/iptables
EXTIF="ppp0"
INTIF="eth0"
IFCONFIG=/sbin/ifconfig
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
WEBSERVER="192.168.0.57"

# Flush tables and set policies
echo "Clearing any existing rules and setting default policy.."
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -F INPUT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -F OUTPUT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -F FORWARD
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -F OUTPUT

start() {
        ebegin "Loading Firewall"

# Enable IP forwarding
echo "Enabling Forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

# Enable Dynamic IP
echo "Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Set external IP
EXTON=`ifconfig | grep $EXTIF`
if [ $? -eq 0 ]
then
  EXTIP=`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d ' ' -f 1`
  echo "External interface is $EXTIF with ip address: $EXTIP"
else
  echo "External interface is $EXTIF"
fi

# Set internal IP
INTIP=`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d ' ' -f 1`
echo "Internal interface is $INTIF with ip address: $INTIP"

# Set up gateway/routing
echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# Port forward http requests to the web server
echo "Set up http forwarding to $WEBSERVER"
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $WEBSERVER:80

        eend 0
}

stop() {
        ebegin "Clearing Firewall"
        eend 0
}
PLEASE someone help? Why doesn't it forward http requests?


All times are GMT -5. The time now is 09:51 AM.