LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables basic question (https://www.linuxquestions.org/questions/linux-networking-3/iptables-basic-question-372247/)

Fordor 10-12-2005 08:44 AM
iptables basic question
 
I have setup a webserver on port 81 on my network and would like it to be accesible from the internet and I use iptables. But I have a problem setting up the firewall. Here is what I type in the console:

iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j DNAT
--to-destination $4:81

iptables -A INPUT -j DROP

But still server isn't accesible.

Does anyone know how to properly configure iptables?

fataldata 10-12-2005 09:20 AM
It's been a while since I have messed with iptables. If you have not been using this linux PC as a firewall/NAT before, one note would be to ensure that you have IP forwarding enabled.

echo 1 > /proc/sys/net/ipv4/ip_forward

Fordor 10-12-2005 09:33 AM
Forwarding is enabled, in fact 3 ports are forwarded already.


I am thinking maybe it's because I have DMZ setup for 1 pc and add forwarding to port 80 after DMZ is set. I think iptables finds the dmz mode and ignores all other entries. Could it be that?

[root@asus root]$ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 48 packets, 3516 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.62.50 tcp dpt:4666 to:192.168.0.53:4666
0 0 DNAT udp -- * * 0.0.0.0/0 192.168.62.50 udp dpt:4672 to:192.168.0.53:4672
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.62.50 tcp dpt:4999 to:192.168.0.53:4999
3 169 DNAT all -- * * 0.0.0.0/0 192.168.62.50 to:192.168.0.50
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.62.50 tcp dpt:80 to:192.168.0.1:81

Chain POSTROUTING (policy ACCEPT 25 packets, 1957 bytes)
pkts bytes target prot opt in out source destination
12 1121 MASQUERADE all -- * vlan1 !192.168.62.50 0.0.0.0/0
2 353 MASQUERADE all -- * br0 192.168.0.0/24 192.168.0.0/24

Chain OUTPUT (policy ACCEPT 24 packets, 2141 bytes)
pkts bytes target prot opt in out source destination
[root@asus root]$

tvynr 10-12-2005 04:06 PM
I know it's sloppy but, as a general rule, I add most rules I create to INPUT, OUTPUT, and FORWARD via another chain I create:

$ipt -N chain
$ipt -A INPUT -j chain
$ipt -A OUTPUT -j chain
$ipt -A FORWARD -j chain

Then I'm quite picky about the rules I add to it.

$ipt -A chain -i $ext_ifc -p tcp --dport 80 -j ACCEPT
$ipt -t nat -A PREROUTING -d $ext_ip -p tcp --dport 80 -j DNAT --to-destination $ip_webserver:81

Something like that. ("$ext_ifc" is the external interface; "$ext_ip" is the external IP address.) It's ugly, but I've never had any trouble with it.

I seem to remember reading once that, if anything is getting forwarded along, the rule needs to be passed to FORWARD instead of INPUT. But I'm not sure.

fataldata 10-12-2005 04:23 PM
Quote:
I seem to remember reading once that, if anything is getting forwarded along, the rule needs to be passed to FORWARD instead of INPUT. But I'm not sure.
Man I totally missed that. I think tvynr is correct. The input table applies to packets destined for the kernel. The forward table is for packets to be passed through.

Fordor 10-12-2005 05:30 PM
Yes, thank's that worked out well.

And by the way, the input is for a certain pc to accept the packet, so in this case if a server is on port 81 I need to accept tcp on port 81 and in prerouting I need to forward 80 external to 81 internal.


Thanks


All times are GMT -5. The time now is 03:32 AM.