Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 09-06-2007, 08:18 PM   #1
LQ Newbie
Registered: Aug 2007
Posts: 5

Rep: Reputation: 0
LAN cannot access other LAN systems, only WAN

Hi folks,

I've exhausted the extent of my IPTables/NetFilter knowledge, and am now turning to your expertise. I've pasted my IPTables configuration below so that you can hopefully see where my error is.

Here is my problem: I have a linux box acting as a router and firewall. It assigns IPs to local systems via its DHCP server. My problem is that none of the local systems can access the local web server. If they enter the IP address of the web server (, it works fine, but using the domain name does not work. The local systems are able to reach all WAN networks, and all WAN networks are able to access the local web server (since I have NAT forwarding setup in IPTables). So, any idea how I can get the local systems to be able to use the domain name of my web server to access it instead of having to use the IP address (which doesn't work for some http forwarding directives I have setup)?


# NOTE -- This used to be /sbin/ifup-pre-local script. I changed it to a manual script instead since tc_shaper
# wasn't working in the previous script on autoload

# other definitions

# chain policies
# drop everything and open stuff as necessary
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -F -t nat
/sbin/iptables -X
/sbin/iptables -Z

# create DUMP table
/sbin/iptables -N DUMP
/sbin/iptables -F DUMP

# limited logs
/sbin/iptables -A DUMP -p icmp -m limit --limit 1/m --limit-burst 5 -j LOG --log-level 6 --log-prefix "IPT ICMPDUMP: "
/sbin/iptables -A DUMP -p tcp -m limit --limit 1/m --limit-burst 5 -j LOG --log-level 6 --log-prefix "IPT TCPDUMP: "
/sbin/iptables -A DUMP -p udp -m limit --limit 6/h --limit-burst 5 -j LOG --log-level 6 --log-prefix "IPT UDPDUMP: "

/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A DUMP -j DROP

# Stateful table
/sbin/iptables -N STATEFUL
/sbin/iptables -F STATEFUL
/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A STATEFUL -m state --state NEW -i ! ${IFext} -j ACCEPT
/sbin/iptables -A STATEFUL -j DUMP

# SSH protection table
/sbin/iptables -N SSH
/sbin/iptables -F SSH
/sbin/iptables -A SSH -i ! ${IFext} -j RETURN
/sbin/iptables -A SSH -m recent --name SSH --set --rsource
/sbin/iptables -A SSH -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN
/sbin/iptables -A SSH -j DUMP

# SYN protection table
/sbin/iptables -N SYN-FLOOD
/sbin/iptables -F SYN-FLOOD
/sbin/iptables -A SYN-FLOOD -m limit --limit 1/s --limit-burst 8 -j RETURN
/sbin/iptables -A SYN-FLOOD -j DROP

/sbin/iptables -A INPUT -p tcp -i ${IFext} --syn -j SYN-FLOOD
/sbin/iptables -A INPUT -p tcp -i ${IFext} ! --syn -m state --state NEW -j DROP

# watch out for fragments
/sbin/iptables -A INPUT -i ${IFext} -f -j LOG --log-prefix "IPT FRAGMENTS: "
/sbin/iptables -A INPUT -i ${IFext} -f -j DROP

# allow loopback in
/sbin/iptables -A INPUT -i lo -j ACCEPT
# allow loopback and LAN out
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -s ${lannet} -j ACCEPT

# drop reserved addresses incoming as per IANA listing
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s -j DUMP

# allow certain inbound ICMP types (on *any* interface)
/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT

# opened ports
/sbin/iptables -A INPUT -p tcp -i ${IFext} --dport 1982 -m state --state NEW -j SSH
/sbin/iptables -A INPUT -p tcp -i ${IFext} --dport 1982 -j ACCEPT

# masquerade from internal network
# /sbin/iptables -t nat -A POSTROUTING -s ${lannet} -o ${IFext} -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s ${lannet} -o ${IFext} -j SNAT --to-source ${IPext}


# override stateful table
/sbin/iptables -A FORWARD -i ${IFext} -o ${IFint} -j ACCEPT

# server1 ports
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 46959:46965 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 46959:46965 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 80 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 80 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 443 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 443 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 25 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 25 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 143 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 143 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 1980 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 1980 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 993 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 993 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 1981 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 1981 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 3784 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 3784 -j ACCEPT

# myrion ports
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 46979 -j DNAT --to ${myrion}
/sbin/iptables -A FORWARD -s ${myrion} -p tcp --dport 46979 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 113 -j DNAT --to ${myrion}
/sbin/iptables -A FORWARD -s ${myrion} -p tcp --dport 113 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 6669 -j DNAT --to ${myrion}
/sbin/iptables -A FORWARD -s ${myrion} -p tcp --dport 6669 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 4900:5000 -j DNAT --to ${myrion}
/sbin/iptables -A FORWARD -s ${myrion} -p tcp --dport 4900:5000 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 6060:7000 -j DNAT --to ${myrion}
/sbin/iptables -A FORWARD -s ${myrion} -p tcp --dport 6060:7000 -j ACCEPT

# push everything else to state table
/sbin/iptables -A INPUT -j STATEFUL
/sbin/iptables -A FORWARD -j STATEFUL
/sbin/iptables -A OUTPUT -j STATEFUL
Thanks a bunch!!

Old 09-06-2007, 08:29 PM   #2
LQ Guru
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 62
Not sure if it might help but depends based on DNS but I think you need some dnat lines. This mostly for lan machine not seeing a server IP address with the external IP address. Check this link for a start.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
2 wan and 1 lan xplozia Linux - Networking 3 02-06-2007 08:48 PM
Lan with three WAN... tusher Linux - Networking 3 06-28-2006 03:01 PM
LAN but no WAN BCarey Linux - Networking 4 05-07-2006 01:24 PM
redhat 7.3 can only access LAN, not WAN ForumKid Linux - Networking 1 08-01-2004 09:14 AM
Routing LAN -> WAN -> LAN with unhelpful router synx13 Linux - Networking 2 06-14-2004 03:35 PM

All times are GMT -5. The time now is 02:14 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration