LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Iptables+prerouting (https://www.linuxquestions.org/questions/linux-networking-3/iptables-prerouting-314896/)

niranjan_mr 04-19-2005 09:42 AM
Iptables+prerouting
 
Dear all

i have a linux box which is having 2 ethernet cards
eth0 is having public ip (a.b.c.d)
eth1 is having private ip (192.168.0.1)
my local network is in 192.168.0. series.

using this linux box i am doing masquerading so that local network is able to access internet

now i have local tomcat servers , i want my local network and outside network when they type the public ip of my linux box it should able to access the tomcat server , which at present to enable that i am using prerouting and dnat. but local network are able to access the tomcat server using the public ip address assigned to linux box

but outside network are unable to access the tomcat server .

my iptables script is as follows
/sbin/iptables -A FORWARD -i eth1 -s 192.168.0.0/24 -d 0.0.0.0 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -d a.b.c.d --dport 80 -j DNAT --to 192.168.0.6:80
#/sbin/iptables -t nat -A PREROUTING -p tcp -d a.b.c.d --dport 8080 -j DNAT --to 192.168.0.6:8080
#/sbin/iptables -t nat -A PREROUTING -p tcp -d a.b.c.d --dport 8080 -j DNAT --to 192.168.0.6:8080

#Following lines for redirecting http traffic to squid proxy server
/sbin/iptables -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp -j REDIRECT --dport www --to-ports 3128

/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -m state --state NEW,ESTABLISHED,RELATED -j MASQUERADE

please guide me as i want both my local network and outside network be able to access the tomcat server which is in private ip in local network


Regards
Niranjan

fr_laz 04-19-2005 12:23 PM
Hi

If your script only contains these few lines, then it should work, but with no security at all :

you never deny any trafic, and since default iptables behaviour is to accept averything, you're open.

if you forgot some lines, such as :
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
(which means : by default you drop everything) then you should have these 2 problems :

1/ internet users cannot connect to your servers, since even though it seems to me that you've correctly configured port address translation, you havn't authorised the trafic :
iptables -A FORWARD -d 192.168.0.6 -p tcp --dport 80 -j ACCEPT

2/ LAN users cannot access internet since they may go out towards Internet, but the responses arn't allowed to come in :
iptables -A FORWARD -d 192.168.0.0/24 -m state --state ESTABLISHED -j ACCEPT


All times are GMT -5. The time now is 05:32 AM.