LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-19-2005, 09:42 AM   #1
niranjan_mr
Member
 
Registered: Dec 2004
Posts: 37

Rep: Reputation: 15
Iptables+prerouting


Dear all

i have a linux box which is having 2 ethernet cards
eth0 is having public ip (a.b.c.d)
eth1 is having private ip (192.168.0.1)
my local network is in 192.168.0. series.

using this linux box i am doing masquerading so that local network is able to access internet

now i have local tomcat servers , i want my local network and outside network when they type the public ip of my linux box it should able to access the tomcat server , which at present to enable that i am using prerouting and dnat. but local network are able to access the tomcat server using the public ip address assigned to linux box

but outside network are unable to access the tomcat server .

my iptables script is as follows
/sbin/iptables -A FORWARD -i eth1 -s 192.168.0.0/24 -d 0.0.0.0 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -d a.b.c.d --dport 80 -j DNAT --to 192.168.0.6:80
#/sbin/iptables -t nat -A PREROUTING -p tcp -d a.b.c.d --dport 8080 -j DNAT --to 192.168.0.6:8080
#/sbin/iptables -t nat -A PREROUTING -p tcp -d a.b.c.d --dport 8080 -j DNAT --to 192.168.0.6:8080

#Following lines for redirecting http traffic to squid proxy server
/sbin/iptables -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp -j REDIRECT --dport www --to-ports 3128

/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -m state --state NEW,ESTABLISHED,RELATED -j MASQUERADE

please guide me as i want both my local network and outside network be able to access the tomcat server which is in private ip in local network


Regards
Niranjan
 
Old 04-19-2005, 12:23 PM   #2
fr_laz
Member
 
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384

Rep: Reputation: 32
Hi

If your script only contains these few lines, then it should work, but with no security at all :

you never deny any trafic, and since default iptables behaviour is to accept averything, you're open.

if you forgot some lines, such as :
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
(which means : by default you drop everything) then you should have these 2 problems :

1/ internet users cannot connect to your servers, since even though it seems to me that you've correctly configured port address translation, you havn't authorised the trafic :
iptables -A FORWARD -d 192.168.0.6 -p tcp --dport 80 -j ACCEPT

2/ LAN users cannot access internet since they may go out towards Internet, but the responses arn't allowed to come in :
iptables -A FORWARD -d 192.168.0.0/24 -m state --state ESTABLISHED -j ACCEPT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
prerouting not function stomach Linux - Software 1 12-19-2005 07:16 PM
prerouting question bugstein Linux - Networking 1 04-07-2005 09:49 PM
PREROUTING stuff zalmox Linux - Security 1 11-23-2003 06:35 PM
Nat Prerouting lambmt Linux - Networking 5 10-07-2003 08:17 PM
iptables PREROUTING and blocking question bakuretsu Linux - Security 3 09-12-2002 10:49 AM


All times are GMT -5. The time now is 09:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration