LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 02-03-2002, 11:55 PM   #1
kajboj
LQ Newbie
 
Registered: Feb 2002
Location: san francisco
Posts: 3

Rep: Reputation: 0
Question iptables and EXTIP access from LAN


Hi,

I posted this a few days ago under "Security" and haven't received a response. Forgive me if I'm being impatient, but I suspect that "Security" may not be the right forum for my question.

Thanks,
Alan

I have a RedHat 7.2 box configured as a firewall with IP masquerading. The setup is rather basic: DSL ROUTER <-> FIREWALL <-> SWITCH <-> (WEBSERVER, INTERNAL MACHINE 1, INTERNAL MACHINE 2, ETC) and for the most part works fine. External machines are able to access the webserver through the firewall, and internal machines can access the webserver via its LAN IP address. The problem I have is that internal machines can't reach the webserver via the firewall's EXTIP address. In other words, if I "telnet mydomain.com 80" on an internal machine, DNS (from outside my LAN) returns the correct IP address but the machine can't establish a connection, whereas the same test works fine if I perform it on a machine outside the firewall. In summary, it seems there's a problem with machines on the LAN accessing other machines on the LAN through the firewall.

I'm using the seemingly-standard rc.firewall 0.63 script (copied off linuxdoc.org), with a few modifications for allowing external access to my LAN. I figure I need to add a rule that forwards port 80 LAN traffic destined for the firewall EXTIP address to the webserver, but haven't been able to make it work. I've been looking all over for help and can't find what I need, so I'd love to hear everyone's suggestions on what might be wrong. Let me know if I should post my iptables config (or anything else).

Many Thanks,
Alan
 
Old 02-04-2002, 05:09 AM   #2
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,155

Rep: Reputation: 56
I have the same thing.


The reason is I have the eth0 external port 80 on the firewall forwarded to the internal ip address.


There is no way to get outside of eth0 from the inside, therefore the external ip on the inside gets the firewall not the server.


$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.4


I use the 10.0.0.4 from the inside.


In my opinion there is nothing wrong. That's the way it should be, and there is no reason to have two ip addresses pointing to the same machine.

And if it were the other way I could not access my web server on port 80 on the router from inside.

Last edited by DavidPhillips; 02-04-2002 at 05:19 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
deny ssh access from lan with iptables NuLLiFiEd Linux - Security 10 12-01-2005 08:11 PM
How to configure an iptables extdev and extip that uses dynamic ip? Niceman2005 Linux - Networking 1 10-11-2005 10:43 PM
IPTABLES How to access to web server on gateway from LAN? kozaki Linux - Networking 4 08-26-2005 12:27 PM
Allowing access to FTP server on LAN using IPTABLES - Help please sergio3986 Linux - Security 2 12-18-2003 01:22 PM
iptables and EXTIP access from LAN kajboj Linux - Security 1 02-06-2002 01:11 PM


All times are GMT -5. The time now is 05:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration