Problem with Iptables

longvnit · 04-07-2010, 11:33 AM

Hi,
I just install 1 firewall using Iptables.
Firewall includes 2 NIC:
NIC1 <IP PUBLIC>
NIC2 192.168.10.1

I installed 1 web server IP: 192.168.10.2
I have some PC IP range: 192.168.10.10->20

I set rules NAT on firewall and PC & web server can connect internet good, but i have problems:
When PC access to web server with IP 192.168.10.2 that ok, but PC can't access to web server when using IP PUBLIC.
But i outside internet, i can access to web server using IP PUBLIC.

Rules on IPTables

Code:

# Generated by iptables-save v1.3.5 on Sun Mar  7 21:01:16 2010
*nat
:PREROUTING ACCEPT [950:126970]
:POSTROUTING ACCEPT [89:5880]
:OUTPUT ACCEPT [19:1342]

-A PREROUTING -d 209.99.242.124 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -j SNAT --to-source 209.99.242.124
*filter
:INPUT DROP [1599:157409]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [232:34452]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -p tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth1 -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -o eth1 -j ACCEPT 
COMMIT

Please help me !

nimnull22 · 04-07-2010, 04:19 PM

Look, what does next rule means:

Code:

-A PREROUTING -d 209.99.242.124 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80

1. You show your IP to everyone, I suggest you to edit your post and remove it.
2. That means, everything that comes to <Public IP> to interfase ETH0 to <port>80, should be resend to <inside IP>:80

What do you need? You need the same rule but for interface ETH1. So if request will come to ETH1 with <Public IP> and <port>=80, resend it to <inside IP>:80

Code:

-A PREROUTING -d 209.99.242.124 -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80

Try, I think it should work.

TimothyEBaldwin · 04-10-2010, 08:23 PM

Code:

-A PREROUTING -d 209.99.242.124 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80

Remove "-i eth0" so the rule applies to packets from everywhere, a SNAT rule is also needed so that replies come though this router so the the DNAT can be undone.

Code:

-A POSTROUTING -d 192.168.10.2 -i eth1 -p tcp --dport 80 -j SNAT --to-source 192.168.10.1

Code:

-A FORWARD -i eth1 -o eth0 -j ACCEPT

Too restrictive, remove "-o eth0" so routing from eth1 to eth1 is allowed.