Forward port port 80 to lan web server

dulaus · 09-24-2002, 04:28 PM

Hi

I have attempted numerous times to get some results with the following configuration, but have yet to get any progress to measure if I am on the right track.

I just rebuilt this box after making it very unstable

I am running Mandrake 8.1 and the last install I did was with IPTABLES. I am running DNS and PostFix along with Apache on this box, and I am connected via ADSL and a static address is served to me and it is bound to 205.150.254.x (eth0). The second card is my private network 192.168.100.1 (eth1). I have my loopback 127.0.0.1(lo) and (ppp0) bound to 205.150.254.x. I have set up routing on this using machine using 192.168.100.1 ( I don't know if I need to do this?)

I also run an WIN2000 web server, and I have been using another dedicated ADSL connection with it. This does not work out as my ISP will reboot at his end a few times a week, and WIN2000 will not reconnect like Linux will. I want to drop that second account...

I have 2 nics in this WIN2000 server, and the local network is bound to 192.168.100.100.

I need to port forward port 80 from the outside internet connection (Mandrake), 205.150.254.x to the internal web server,(IIS5) 192.168.100.100 and I don't know about DNS and SMPT & POP.

I was told to keep my zone files for domains pointed at 205.150.254.x (Linux) and everything would work with port forwarding, but everything pointed back to my Name Server and all you would see would be my default Apache web page.

If someone could get me started this would be a great help, as I have spent a long time trying to figure out just what to do. I have tried several scripts, but without any results to let me know if I am progressing with this.

Thanks very much,

Dulaus

unSpawn · 09-25-2002, 05:15 AM

Would be cool if you posted *what* you tried instead of telling you you *tried*.
You need iptables
-t nat -A PREROUTING -i <pub eth> -p tcp -d <dest IP

ort> -j DNAT --to <lan IP

ort>
iptables -A FORWARD -i <pub eth in> -o <lan eth> -p tcp -d <Lan IP

ort> -j ACCEPT
iptables -t nat -A POSTROUTING -o <pub eth> -j SNAT --to-source <Lan IP>

Here's an example by Raz, there's our Search function with examples 1 and 2 , the IPMAsq howto, and then there's Linuxguru's.

dulaus · 09-25-2002, 06:43 AM

unSpawn,

Thanks for replying. I was going to post some scripts, but felt I was way off base.

With your example, will I be editing "rc.firewall", or do you suggest something else?.

This is a fresh default install using Mandrake 8.1, and 2.4.x kernel, IPTABLES installed and not IPCHAINS as recommended in the install.

Cheers

Dulaus

unSpawn · 09-25-2002, 04:35 PM

Uh. I suggest you backup your old script then try it. Since I don't know Mandy (wiped after 0,5 days) it might as well be /etc/(rc.d/)rc.firewall :-]

dulaus · 09-25-2002, 07:08 PM

Hi

eth0 is my outside (internet) nic address 205.150.254.x
eth1 is my internal (local) nic address 192.168.100.1

IIS5 web server nic (local) is 192.168.100.100

I have enabled routing in linuxconf.

I am reading a lot of documentation, and once I get something working I will most likely to be able to add to it.

Can anyone see anything wrong.

Thanks for your patience

/etc/rc.d/rc.firewall

# Mandrake-Security : if you remove this comment, remove the next line too.
# echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

echo 1> /proc/sys/net/ipv4/ip_forward

$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -dport 80 -j DNAT --to 192.168.100.100:80
$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.100.100 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to source 192.168.100.100

peter_robb · 09-26-2002, 05:33 AM

What do you have for a FORWARD POLICY?

If it is DROP, you will need to add some -m state rules to allow outward traffic.

Regards,
Peter.

dulaus · 09-26-2002, 11:06 AM

Hi Peter,

Thank you but at this point I do not have enough background to answer any questions on Forward Policy.

I think I have to forward my internet IP, (eth0) to my second nic (eth1) 192.168.100.1 - on the linux box, and then to my web server IIS5 defined as 192.168.100.100.

At this point I do not know where packets are ending up, and how to check where things are going, and then deal with DNS, and the Mail Server which are on the linux box as well.

If I knew how to check these things I may be able to understand the tutorials better, logs, tools, etc.

No results yet, but still trying

Thanks...

peter_robb · 09-26-2002, 11:28 AM

I keep referring people to this tutorial
http://www.netfilter.org/documentati...ials/blueflux/

It's very comprehensive.
You will need to absorb this, otherwise you may not understand what we are suggesting...

There is a gui interface called Firestarter which users here fancy.
http://firestarter.sourceforge.net/

Regards,
Peter

dulaus · 10-01-2002, 07:32 PM

Thanks for the posting.

I did install Firestarter, with a bit of trouble but managed to get the firewall up. I get this warning and do not know how relevant this is...

GnomeUI-WARNING **:While connecting to session manager:
Could not open network socket.

This error happens on a manual restart (./firestarter restart)

The firewall is showing traffic on many ports, but nothing to port 80 tcp and nothing to port 53 udp.

I am not certain which IP to use for (dns) zone files since traffic will be redirected to my internal network server. 192.168.1.100:80

The Bastille Firewall firewall may also be a problem, and do not know how to disable this for testing.

Any hints would be appreciated.

Thanks

peter_robb · 10-04-2002, 03:45 AM

Sorry,
I don't use Firestarter myself.
Do a search here and see if your question has been asked before...

Regards,
Peter