iptables basic question
I have setup a webserver on port 81 on my network and would like it to be accesible from the internet and I use iptables. But I have a problem setting up the firewall. Here is what I type in the console:
iptables -D INPUT -j DROP iptables -A INPUT -p tcp --dport 81 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j DNAT --to-destination $4:81 iptables -A INPUT -j DROP But still server isn't accesible. Does anyone know how to properly configure iptables? |
It's been a while since I have messed with iptables. If you have not been using this linux PC as a firewall/NAT before, one note would be to ensure that you have IP forwarding enabled.
echo 1 > /proc/sys/net/ipv4/ip_forward |
Forwarding is enabled, in fact 3 ports are forwarded already.
I am thinking maybe it's because I have DMZ setup for 1 pc and add forwarding to port 80 after DMZ is set. I think iptables finds the dmz mode and ignores all other entries. Could it be that? [root@asus root]$ iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 48 packets, 3516 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.62.50 tcp dpt:4666 to:192.168.0.53:4666 0 0 DNAT udp -- * * 0.0.0.0/0 192.168.62.50 udp dpt:4672 to:192.168.0.53:4672 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.62.50 tcp dpt:4999 to:192.168.0.53:4999 3 169 DNAT all -- * * 0.0.0.0/0 192.168.62.50 to:192.168.0.50 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.62.50 tcp dpt:80 to:192.168.0.1:81 Chain POSTROUTING (policy ACCEPT 25 packets, 1957 bytes) pkts bytes target prot opt in out source destination 12 1121 MASQUERADE all -- * vlan1 !192.168.62.50 0.0.0.0/0 2 353 MASQUERADE all -- * br0 192.168.0.0/24 192.168.0.0/24 Chain OUTPUT (policy ACCEPT 24 packets, 2141 bytes) pkts bytes target prot opt in out source destination [root@asus root]$ |
I know it's sloppy but, as a general rule, I add most rules I create to INPUT, OUTPUT, and FORWARD via another chain I create:
$ipt -N chain $ipt -A INPUT -j chain $ipt -A OUTPUT -j chain $ipt -A FORWARD -j chain Then I'm quite picky about the rules I add to it. $ipt -A chain -i $ext_ifc -p tcp --dport 80 -j ACCEPT $ipt -t nat -A PREROUTING -d $ext_ip -p tcp --dport 80 -j DNAT --to-destination $ip_webserver:81 Something like that. ("$ext_ifc" is the external interface; "$ext_ip" is the external IP address.) It's ugly, but I've never had any trouble with it. I seem to remember reading once that, if anything is getting forwarded along, the rule needs to be passed to FORWARD instead of INPUT. But I'm not sure. |
Quote:
|
Yes, thank's that worked out well.
And by the way, the input is for a certain pc to accept the packet, so in this case if a server is on port 81 I need to accept tcp on port 81 and in prerouting I need to forward 80 external to 81 internal. Thanks |
All times are GMT -5. The time now is 03:32 AM. |