LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 08-26-2003, 06:32 PM   #1
Seather
LQ Newbie
 
Registered: Aug 2003
Location: South Africa
Distribution: Gentoo & FreeBSD
Posts: 4

Rep: Reputation: 0
Advanced Iptables Issue


Migrating my old FreeBSD Router to Linux, Having some issues with the iptables firewall.

The box is connected to the net through ppp0 (dynamic IP) and to the lan with eth0 (192.168.0.45). All boxes on the network is connected directly to the switch, and this box serves as the gateway for them all. The internal webserver is 192.168.0.254.

I have 2 problems:
[list=1][*]When I change my 'FORWARD' policy to 'DROP' instead of ACCEPT as I think it should be...the http forwarding doesn't work anymore. What rule do I need to add afterwards so the http requests still go through etc?[*]The port 80 / http forwarding works perfectly when trying to http to 192.168.0.45 from the internal network, however, from outside trying to http to ppp0's ip address, it doesn't work. Why not, and how can I make it?[/list=1]

This is my current firewall:

Code:
IPTABLES=/sbin/iptables
EXTIF="ppp0"
INTIF="eth0"
IFCONFIG=/sbin/ifconfig
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
WEBSERVER="192.168.0.254"

printf "\nExternal Interface:  $EXTIF\nInternal Interface:  $INTIF\n\n"

#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
echo "Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP, 
#   enable this following option.  This enables dynamic-address hacking
#   which makes the life with Diald and similar programs much easier.
#
echo "Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Set external IP Var
INTIP="192.168.0.45"
echo "Internal ip is $INTIP"

#Clearing any previous configuration
#
#  Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
#    The default for FORWARD is DROP (REJECT is not a valid policy)
#
echo "Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo "FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE


# This is for forwarding http requests to the webserver.
# It's still kind off dodgy, but it works at the moment so thats good.
#
echo "Forwarding all http requests to $WEBSERVER"
# Forward packets coming in from the outside
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $WEBSERVER:80

# Allow forwarded packets
iptables -A FORWARD -p tcp --dport 80 -d $WEBSERVER -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Make responses on the internal network go through the firewall
iptables -t nat -A POSTROUTING -p tcp -d $WEBSERVER --dport 80 -j SNAT --to-source $INTIP
Thanks!
 
Old 08-26-2003, 10:21 PM   #2
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Rep: Reputation: 30
Look at your last three rules. This is what your basically saying:

If it an HTTP request comes in form the outside. Change its destination address to 192.168.0.254. Then allow it through the FORWARD table. Then heres the error: Change the source address to 192.168.0.45. SO basically the webserver will get the packet but will send it back destined to your router and not the external client. Just erase or comment out the last line. When the packets are sent pack from the webserver your default SNAT will take care of it just as if it was another PC on the LAN trying to talk to the outside.


--tarballedtux
 
Old 08-27-2003, 04:37 AM   #3
Seather
LQ Newbie
 
Registered: Aug 2003
Location: South Africa
Distribution: Gentoo & FreeBSD
Posts: 4

Original Poster
Rep: Reputation: 0
I have tried that, but, without it, the forwarding doesn't work. Anything else that I might have done wrong or missed?

I've tried putting the webserver's gateway on both 192.168.0.45 and totally removing it. Without that rule neither eth0 or ppp0's forwarding works.

Thanks
 
Old 08-27-2003, 07:33 PM   #4
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Rep: Reputation: 30
What I am saying is erase that final rule. There is no reason for it.


--tarballedtux
 
Old 08-28-2003, 12:57 AM   #5
Robert0380
Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
# Make responses on the internal network go through the firewall
iptables -t nat -A POSTROUTING -p tcp -d $WEBSERVER --dport 80 -j SNAT --to-source $INTIP


yea this rule is shady, it says:

before a packet leaves this gateway....
If the protocol is TCP and destination is the webserver:80,

change the SOURCE address of this packet to the address of the router (the machine the packet is leaving in the 1st place).

what this does is make your webserver think that each hit is comming from the Router, so If I were to hit you webserver (or try) with my IP being something like 128.61.34.256, I wouldn't get a replay back because your webserver will send the reply back to 192.168.0.45, and then the router will probably just drop it. It would never come back to me.

It's kinda like this:

Your mom gives your dad 10 bucks to give to you. And you mom says "tell him its from me". Your dad then gives you the money and says "here son, this 10 bucks is from me". Now you thank your dad instead of you mom who really gave you the money and you mom never hears back from you about the 10 bucks because u already thanked your dad and she's out of the loop....

in that analogy, your mom is the client making the request, your dad is the router, and you are the webserver.

(i have a habbit of making analogies all the time)
 
Old 08-30-2003, 08:09 AM   #6
Seather
LQ Newbie
 
Registered: Aug 2003
Location: South Africa
Distribution: Gentoo & FreeBSD
Posts: 4

Original Poster
Rep: Reputation: 0
Angry aaarrrgghhhhhh!

Okay...It's *still* not working and I've read up everything I could find on iptables/netfilter by now. It is changed though. But it still doesn't forward http requests at all.

The webserver's gateway is set to the firewall box's ip, and the webserver isn't running any firewall or nat software at all.

This is what it looks like at the moment:

Code:
#!/sbin/runscript

IPTABLES=/sbin/iptables
EXTIF="ppp0"
INTIF="eth0"
IFCONFIG=/sbin/ifconfig
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
WEBSERVER="192.168.0.57"

# Flush tables and set policies
echo "Clearing any existing rules and setting default policy.."
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -F INPUT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -F OUTPUT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -F FORWARD
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -F OUTPUT

start() {
        ebegin "Loading Firewall"

# Enable IP forwarding
echo "Enabling Forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

# Enable Dynamic IP
echo "Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Set external IP
EXTON=`ifconfig | grep $EXTIF`
if [ $? -eq 0 ]
then
   EXTIP=`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d ' ' -f 1`
   echo "External interface is $EXTIF with ip address: $EXTIP"
else
   echo "External interface is $EXTIF"
fi

# Set internal IP
INTIP=`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d ' ' -f 1`
echo "Internal interface is $INTIF with ip address: $INTIP"

# Set up gateway/routing
echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# Port forward http requests to the web server
echo "Set up http forwarding to $WEBSERVER"
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $WEBSERVER:80

        eend 0
}

stop() {
        ebegin "Clearing Firewall"
        eend 0
}
PLEASE someone help? Why doesn't it forward http requests?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange IPTABLES issue TheLinuxDuck Linux - Security 5 04-27-2005 08:44 AM
iptables invert issue lappen Linux - Software 8 09-26-2004 03:19 PM
iptables issue rkemp Linux - Networking 3 11-29-2003 07:50 PM
iptables issue f1uke Linux - Security 3 08-11-2003 08:58 PM
iptables - advanced port blocking/stealth mode siymann Linux - Security 1 10-26-2001 06:21 AM


All times are GMT -5. The time now is 03:22 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration