LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-16-2012, 10:09 PM   #1
lamletoi
Member
 
Registered: Oct 2011
Posts: 46

Rep: Reputation: Disabled
Help for NAT to public Webserver using Iptables


Hi all,
Today i have a problem when i want to public my website for my company.
My diagram:
Iptables server :
NIC 1: public ip
NIC 2: LAN(192.168.2.x)
NIC 3: DMZ(192.168.1.x)
I know how to public this webserver using iptables but i don know how to let all my lan client can connect to port 80.
if i use :
PHP Code:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.3
iptables 
-A POSTROUTING -t nat -i eth2 -p tcp --sport 80 -j SNAT --to 192.168.1.1 
So all traffic go to my network will be nat to 192.168.1.3(WebServer) and nothing for client area.

Please help me.
Attached Thumbnails
Click image for larger version

Name:	9f73c752e0f631b2d6ec1e22142eeea8_43541910.anh.jpg
Views:	46
Size:	37.6 KB
ID:	9458  

Last edited by lamletoi; 04-16-2012 at 10:12 PM.
 
Old 04-17-2012, 02:56 AM   #2
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 509

Rep: Reputation: 203Reputation: 203Reputation: 203
Hi there,

How does your NIC 1/2/3 translate to eth0/1/2? It looks like eth0 is your LAN adapter, and eth3 your DMZ adapter? I assume 192.168.1.1 is the IP on your firewall, and 192.168.1.3 is your web server?

If my assumptions above are correct, your DNAT command says "redirect ALL traffic coming from the LAN to port 80 on ANY IP (i.e. any website) to 192.168.1.3". Is this what you want, or do you want to allow access to external websites, and also allow access to http://192.168.1.3/ from inside?

To allow access to http://192.168.1.3/, in addition to your SNAT you probably just need to ACCEPT that traffic, like this:
iptables -A FORWARD -i eth0 -d 192.168.1.3 --dport 80 -j ACCEPT

Regarding your SNAT rule, I'm not sure I understand what it is meant to do. You should not need to NAT traffic between the LAN and DMZ, but if you want to do that, again assuming my assumptions above, I think the rule to do this should be:
iptables -A POSTROUTING -t nat -o eth2 -p tcp --sport 80 -j SNAT --to 192.168.1.1
i.e. you want to NAT traffic going out onto the DMZ adapter, not traffic coming in from there.

Hope this helps!
 
1 members found this post helpful.
Old 04-17-2012, 05:12 AM   #3
lamletoi
Member
 
Registered: Oct 2011
Posts: 46

Original Poster
Rep: Reputation: Disabled
Hi cliffordw,
I have reedit my diagram .Please tell me more about this matter.
My purpose:
From Webserver: Both External and Internal can access.
I use some rules on Firewall.
PHP Code:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.3  #this for External access via Puplic ip of firewall
iptables -A POSTROUTING -t nat -i eth1 -p tcp --sport 80 -j SNAT --to 192.168.1.1  #this for responses from webserver to external. 
From LAN: Client can connect to internet and webserver(192.168.1.3).
I would like to use some rule like:
PHP Code:
iptables -A FORWARD -i eth2 -d 192.168.1.3 --dport 80 -j ACCEPT #this for access to webserver
iptables -A OUTPUT -i eth2 -s 192.168.2.0/24 -d 0.0.0.0 --dport 80 -j ACCEPT #this for LAN can access to external
iptables -A INPUT -i eth0 -d 192.168.2.0/24 --dport 80 -j ACCEPT #this for responses from external to LAN 
Do i make any mistakes?
Thanks
Attached Thumbnails
Click image for larger version

Name:	9f73c752e0f631b2d6ec1e22142eeea8_43541910.anh.jpg
Views:	22
Size:	43.3 KB
ID:	9463  

Last edited by lamletoi; 04-17-2012 at 05:24 AM.
 
Old 04-17-2012, 06:39 AM   #4
fukawi1
Member
 
Registered: Apr 2009
Location: Melbourne
Distribution: Fedora & CentOS
Posts: 854

Rep: Reputation: 193Reputation: 193
Since you are running a webserver, I will assume you have a static IP from your ISP.
Firstly, the DNAT rule you have is good, in this situation, you need to SNAT traffic from the local networks (LAN/DMZ) for ALL ports, to the routers Internet IP address.
Code:
iptables -t nat -A POSTROUTING -o $wan_if -j SNAT --to $public_ip
The reason for this is, when a packet originating from a LAN client, 192.168.1.1 for example initiates a http connection with google.com, the request packets source ip (and thus where the reply packets will get sent) will be 192.168.1.1. When this packet gets to google.com, the return packets would be sent to the local IP 192.168.1.1 which may or may not exist. The moral of the story is, the reply packets will never get back to the host that made the request.
So what happens is, the original request packet comes into the router/firewall gets filtered by the firewall, then gets routed out the $wan_if interface, and is then SNAT'ed, to the routers $public_ip. The ip_conntrack module keeps track of these connections, and reverses the process on the returned packets, which come to the router/firewall's $wan_if, get filtered by the firewall, SNAT'ed to the ip by ip_conntrack, routed, and returned to the client.

This does not need to take place for local routed traffic between two subnets. So the SNAT rules you are using are invalid.
You could check that routing is working by making sure the:
LAN can ping the DMZ, internet and gateway
DMZ can ping the LAN, internet and gateway (we can discuss filtering this later)
Router/firewall can ping everything

Quote:
I would like to use some rule like:
Since you still haven't said what interface relates to what subnet, you are making this somewhat difficult.

Quote:
iptables -A OUTPUT -i eth2 -s 192.168.2.0/24 -d 0.0.0.0 --dport 80 -j ACCEPT #this for LAN can access to external
This rule wont work. The OUTPUT chain is for packets generated BY the firewall itself.
Quote:
iptables -A INPUT -i eth0 -d 192.168.2.0/24 --dport 80 -j ACCEPT #this for responses from external to LAN
Once again, the INPUT chain is for packets destined TO the router..

Incidentally (not that you asked), the FORWARD chain, is for packets being routed THROUGH the firewall.
 
1 members found this post helpful.
Old 04-17-2012, 08:05 AM   #5
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 509

Rep: Reputation: 203Reputation: 203Reputation: 203
@fukawi1, the interface details are in the revised diagram, as follows:
NIC 1: public ip - eth0
NIC 2: LAN(192.168.2.x) - eth2 with IP 192.168.2.1
NIC 3: DMZ(192.168.1.x) - eth1 with IP 192.168.1.1
Web server on 192.168.1.3

@lamletoi, a few comments:

Your DNAT rule for allowing external clients to access the web server seems OK, as follows:
Quote:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.3
You just need to add a rule to allow that traffic, like this:
Code:
iptables -A FORWARD -p tcp -d 192.168.1.3 --dport 80 -j ACCEPT
This rule, with no interface specified, will handle traffic to your webserver from both the internet and the LAN. Alternately you can add "-i eth0" to this rule to handle only the internet traffic, and add a separate rule for LAN traffic (also see below).

The SNAT rule you have for replies is not necessary. You do need an SNAT rule for outgoing traffic though, as per @fukawi1's post:
Quote:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $public_ip
For allowing internal clients to access the web server, you can just use the rule above with no interface specified. Alternately your rule is OK:
Quote:
iptables -A FORWARD -i eth2 -d 192.168.1.3 --dport 80 -j ACCEPT
I'd just add the protocol ("-p tcp") too (missed this in my earlier reply).

For internal clients to access external hosts, as @fukawi1 mentioned, the INPUT and OUTPUT rules are incorrect. A rule similar to this will do the trick:
Code:
iptables -A FORWARD -i eth2 -p tcp --dport 80 -j ACCEPT
This should handle all the HTTP requests. You'll need to add corresponding ACCEPT rules for the replies (opposite directions - change destination IPs/interfaces/ports for source, and vice versa).
 
1 members found this post helpful.
Old 04-17-2012, 09:26 AM   #6
lamletoi
Member
 
Registered: Oct 2011
Posts: 46

Original Poster
Rep: Reputation: Disabled
Thank you so must,cliffordw and fukawi1.
I have figured out my problem.
 
Old 04-17-2012, 09:36 AM   #7
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 509

Rep: Reputation: 203Reputation: 203Reputation: 203
Just a quick update to elaborate on handling the TCP replies.

For connections to your web server, you need to allow it to reply (to both the LAN and internet). This rule should do that:
Code:
iptables -A FORWARD -i eth1 -p tcp -s 192.168.1.3 --sport 80 -j ACCEPT
For connections from the LAN to outside, you need to allow the external servers to reply. Try this rule:
Code:
iptables -A FORWARD -p tcp -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] How to do NAT in Iptables? ..(IP Public to Internal IP) Winanjaya Linux - Networking 46 03-23-2010 10:40 PM
Accessing an Internal Webserver from my Public Webserver rtoney5 Linux - Server 1 12-18-2009 05:41 PM
public Webserver help!! shane200_ Linux - Networking 1 06-07-2005 12:15 PM
2 IPs -> NAT -> Webserver Kumado Linux - Networking 3 10-31-2003 09:32 PM
Nat to Webserver routing Kumado Linux - Networking 5 10-25-2003 12:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration