LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 09-06-2007, 08:18 PM   #1
Myrion
LQ Newbie
 
Registered: Aug 2007
Posts: 5

Rep: Reputation: 0
LAN cannot access other LAN systems, only WAN


Hi folks,

I've exhausted the extent of my IPTables/NetFilter knowledge, and am now turning to your expertise. I've pasted my IPTables configuration below so that you can hopefully see where my error is.

Here is my problem: I have a linux box acting as a router and firewall. It assigns IPs to local systems via its DHCP server. My problem is that none of the local systems can access the local web server. If they enter the IP address of the web server (192.168.1.111), it works fine, but using the domain name does not work. The local systems are able to reach all WAN networks, and all WAN networks are able to access the local web server (since I have NAT forwarding setup in IPTables). So, any idea how I can get the local systems to be able to use the domain name of my web server to access it instead of having to use the IP address (which doesn't work for some http forwarding directives I have setup)?

---IPTABLES OUTPUT---
Code:
#!/bin/sh

# NOTE -- This used to be /sbin/ifup-pre-local script. I changed it to a manual script instead since tc_shaper
# wasn't working in the previous script on autoload

# other definitions
IFext="eth0"
IFint="eth1"
IPext="71.xxx.xxx.xxx"
IPint="192.168.0.1"
lannet="192.168.0.0/23"

# chain policies
# drop everything and open stuff as necessary
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -F -t nat
/sbin/iptables -X
/sbin/iptables -Z

# create DUMP table
/sbin/iptables -N DUMP
/sbin/iptables -F DUMP

# limited logs
/sbin/iptables -A DUMP -p icmp -m limit --limit 1/m --limit-burst 5 -j LOG --log-level 6 --log-prefix "IPT ICMPDUMP: "
/sbin/iptables -A DUMP -p tcp -m limit --limit 1/m --limit-burst 5 -j LOG --log-level 6 --log-prefix "IPT TCPDUMP: "
/sbin/iptables -A DUMP -p udp -m limit --limit 6/h --limit-burst 5 -j LOG --log-level 6 --log-prefix "IPT UDPDUMP: "

/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A DUMP -j DROP

# Stateful table
/sbin/iptables -N STATEFUL
/sbin/iptables -F STATEFUL
/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A STATEFUL -m state --state NEW -i ! ${IFext} -j ACCEPT
/sbin/iptables -A STATEFUL -j DUMP

# SSH protection table
/sbin/iptables -N SSH
/sbin/iptables -F SSH
/sbin/iptables -A SSH -i ! ${IFext} -j RETURN
/sbin/iptables -A SSH -m recent --name SSH --set --rsource
/sbin/iptables -A SSH -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN
/sbin/iptables -A SSH -j DUMP

# SYN protection table
/sbin/iptables -N SYN-FLOOD
/sbin/iptables -F SYN-FLOOD
/sbin/iptables -A SYN-FLOOD -m limit --limit 1/s --limit-burst 8 -j RETURN
/sbin/iptables -A SYN-FLOOD -j DROP

/sbin/iptables -A INPUT -p tcp -i ${IFext} --syn -j SYN-FLOOD
/sbin/iptables -A INPUT -p tcp -i ${IFext} ! --syn -m state --state NEW -j DROP

# watch out for fragments
/sbin/iptables -A INPUT -i ${IFext} -f -j LOG --log-prefix "IPT FRAGMENTS: "
/sbin/iptables -A INPUT -i ${IFext} -f -j DROP

# allow loopback in
/sbin/iptables -A INPUT -i lo -j ACCEPT
# allow loopback and LAN out
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -s ${lannet} -j ACCEPT

# drop reserved addresses incoming as per IANA listing
/sbin/iptables -A INPUT -i ${IFext} -s 0.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 1.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 2.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 5.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 7.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 10.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 23.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 27.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 31.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 36.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 39.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 41.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 42.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 58.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 59.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 60.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 127.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 169.254.0.0/16 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 172.16.0.0/12 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 192.168.0.0/16 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 197.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 224.0.0.0/3 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 240.0.0.0/8 -j DUMP

# allow certain inbound ICMP types (on *any* interface)
/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT

# opened ports
/sbin/iptables -A INPUT -p tcp -i ${IFext} --dport 1982 -m state --state NEW -j SSH
/sbin/iptables -A INPUT -p tcp -i ${IFext} --dport 1982 -j ACCEPT

# masquerade from internal network
# /sbin/iptables -t nat -A POSTROUTING -s ${lannet} -o ${IFext} -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s ${lannet} -o ${IFext} -j SNAT --to-source ${IPext}

myrion="192.168.0.100"
server1="192.168.1.111"

# override stateful table
/sbin/iptables -A FORWARD -i ${IFext} -o ${IFint} -j ACCEPT

# server1 ports
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 46959:46965 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 46959:46965 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 80 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 80 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 443 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 443 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 25 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 25 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 143 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 143 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 1980 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 1980 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 993 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 993 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 1981 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 1981 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 3784 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 3784 -j ACCEPT

# myrion ports
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 46979 -j DNAT --to ${myrion}
/sbin/iptables -A FORWARD -s ${myrion} -p tcp --dport 46979 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 113 -j DNAT --to ${myrion}
/sbin/iptables -A FORWARD -s ${myrion} -p tcp --dport 113 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 6669 -j DNAT --to ${myrion}
/sbin/iptables -A FORWARD -s ${myrion} -p tcp --dport 6669 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 4900:5000 -j DNAT --to ${myrion}
/sbin/iptables -A FORWARD -s ${myrion} -p tcp --dport 4900:5000 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 6060:7000 -j DNAT --to ${myrion}
/sbin/iptables -A FORWARD -s ${myrion} -p tcp --dport 6060:7000 -j ACCEPT

# push everything else to state table
/sbin/iptables -A INPUT -j STATEFUL
/sbin/iptables -A FORWARD -j STATEFUL
/sbin/iptables -A OUTPUT -j STATEFUL
Thanks a bunch!!

--myrion
 
Old 09-06-2007, 08:29 PM   #2
Brian1
Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 61
Not sure if it might help but depends based on DNS but I think you need some dnat lines. This mostly for lan machine not seeing a server IP address with the external IP address. Check this link for a start. http://www.linuxquestions.org/questi...highlight=dnat

Brian
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
2 wan and 1 lan xplozia Linux - Networking 3 02-06-2007 08:48 PM
Lan with three WAN... tusher Linux - Networking 3 06-28-2006 03:01 PM
LAN but no WAN BCarey Linux - Networking 4 05-07-2006 01:24 PM
redhat 7.3 can only access LAN, not WAN ForumKid Linux - Networking 1 08-01-2004 09:14 AM
Routing LAN -> WAN -> LAN with unhelpful router synx13 Linux - Networking 2 06-14-2004 03:35 PM


All times are GMT -5. The time now is 06:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration