LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 01-04-2007, 03:56 PM   #1
siadam
LQ Newbie
 
Registered: Jan 2007
Location: WV
Distribution: Slackware/Centos4
Posts: 29

Rep: Reputation: 15
Unhappy Slackware 8.1 & Iptables Help


I have done some lurking here and there along with ALOT of reading to no avail thus far.

Currently running a Slack 8.1 box as a firewall/email. It was in place before I arrived and has done a great job. It has webmin installed and is where I have done most/all configs up to this point. There is not a place to configure iptables so I fired up ssh and went to work.

What I would like to happen:To access an internal device from outide the lan.

The problem I have is that no matter what I do, I cannot get to it. Connection Refused!!

I am using ssh/telnet while @ work and am fine. It is a NAT configuration w/1 public ip mapped to many private ip's inside.

While on the LAN, you can access the device via a web browser, 192.168.xxx.xxx w/o entering a port number. So I am going to assume it is port 80.

I did the following w/no luck.

iptables -A FORWARD -p tcp -d 192.168.xxx.xxx --destination-port 80 -j ACCEPT

No luck, then added;

iptables -A INPUT -p tcp -d 192.168.xxx.xxx --destination-port 80 -j ACCEPT

Still no luck. I have since flushed the tables and it's running just fine. As stated never any problems with it, just want to add some functionality.

I am @ a loss. I would greatly appreciate anyone can give me on the matter.

Thanks in advance.
 
Old 01-05-2007, 02:06 PM   #2
loewen
LQ Newbie
 
Registered: Sep 2004
Posts: 14

Rep: Reputation: 0
Slackware 8.1 & Iptables Help

I am assuming you wanted to run httpd from another box other than the one serving as your gatway. In this case, I would do it in the PREROUTING table. where:

iptables -t nat -A PREROUTING -p tcp -d <YOUR PUBLIC IP> --dport 80 -j DNAT --to-destination 192.168.x.x:80

Depending on the rules in your FORWARD table, you should be just fine.

If in case you wanted to allow httpd of your gateway to serve pages to the internet, then just open up port 80 in the INPUT table and allow established/related in the OUTPUT table.
 
Old 01-08-2007, 02:18 PM   #3
siadam
LQ Newbie
 
Registered: Jan 2007
Location: WV
Distribution: Slackware/Centos4
Posts: 29

Original Poster
Rep: Reputation: 15
Quote:
iptables -t nat -A PREROUTING -p tcp -d <YOUR PUBLIC IP> --dport 80 -j DNAT --to-destination 192.168.x.x:80
I had flushed the exisiting rules...just to error on the side of caution. So nothing was interferring w/the new rule.

You are correct on assuming the http service is on a machine inside the lan. Not on the gateway/firewall itself.

Still nothing..I have tried sooo many things...I am just lost/confused.

Should be fairly simple..

 
Old 01-08-2007, 03:48 PM   #4
siadam
LQ Newbie
 
Registered: Jan 2007
Location: WV
Distribution: Slackware/Centos4
Posts: 29

Original Poster
Rep: Reputation: 15
Something else I don't understand.

I can list my tables via iptables -L and see Input/Forward/Output and the rules. None in Forward or Output.

For Input

Accept all any source and any destination state related/established.
Accept all any source and any deistantion state new.

I don't understand what PREROUTING/POSTROUTING and NAT reference to. I understand what NAT does, but what is it modifying?

I did the PREROUTING rule earlier in this thread and it does not show?

Could someone please shed some light on this.

Thanks in advance.
 
Old 01-09-2007, 10:11 AM   #5
siadam
LQ Newbie
 
Registered: Jan 2007
Location: WV
Distribution: Slackware/Centos4
Posts: 29

Original Poster
Rep: Reputation: 15
If someone could help me understand what these rules mean.

Quote:
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to $EXT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
$IPTABLES -P INPUT DROP
Flush Iptable chains w/ -F
Flush Nat tables w/ -F
?
?
?
?
?

Thanks. Looking for a better understanding of the organization.
 
Old 01-09-2007, 10:21 AM   #6
siadam
LQ Newbie
 
Registered: Jan 2007
Location: WV
Distribution: Slackware/Centos4
Posts: 29

Original Poster
Rep: Reputation: 15
I added this before the POSTROUTING rule.

Quote:
iptables -t nat -A PREROUTING -p tcp -d <YOUR PUBLIC IP> --dport 80 -j DNAT --to-destination 192.168.x.x:80
Still doesn't seem to work...

 
Old 01-10-2007, 01:35 PM   #7
siadam
LQ Newbie
 
Registered: Jan 2007
Location: WV
Distribution: Slackware/Centos4
Posts: 29

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by siadam
I added this before the POSTROUTING rule.



Still doesn't seem to work...


 
Old 01-10-2007, 02:02 PM   #8
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
Siadam,
Have you heard about 'curiosity killed the cat' saying ????

Anyways..

Let me clarify few point which may help you understanding the whole idea.
1. In iptables we have INPUT, OUTPUT chains for LOCAL BOX related firewalling & PREROUTING, POSTROUTING, FORWARD chain for NATing related packets.
2. Whenever anything which is being forwarded(NATed) to some other box(not your local, LAN hosted or to any other) it has nothing to do with INPUT & OUTPUT Chain.
3. RULES LISTING: iptables -t nat -nvL // will list you your nating rules.
& iptables -nvL // will list your INPUT,OUTPUT & FORWARD rules.
4. There's a FORWARD chain in iptables which stand b/w PREROUTING & POSTROUTING & you LAN. So you should always make sure that there's nothing in FORWARD chain tht's blocking your NATed packets to traverse through.
5. Above all you should also make sure that you make your linux box is actually acting as a ROUTER/IP_FORWARDER. Try cat /proc/sys/net/ipv4/ip_forward to see if it is 1 (means it is working as a router. Otherwise we got to change it to 1.
6. Nated packets always find their way back on their own. So we are not supposed to specify a Reverse DNating (SNATing) while we NAT packets.
 
Old 01-10-2007, 02:25 PM   #9
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
If making your LAN hosted webserver available to internet is the only concern then follow these steps;
1. For flushing all the rules (first rule flushes rules from INPUT,OUTPUT & FORWARD Chain, Second rule flushes rules from table nat & third rule flushes rules from table magle)
iptables -F
iptables -t nat -F
iptables -t mangle -F
2. echo 1 > /proc/sys/net/ipv4/ip_forward
2. iptables -t nat -A PREROUTING -p tcp -d <YOUR PUBLIC IP> --dport 80 -j DNAT --to-destination 192.168.x.x:80
3. Make sure that 192.168.x.x box should set this FIREWALL box as its gateway.

Thats it. Try Now.... Please be aware that you cannot checkback the implementation of these rules browsing from this box only; Either you got to use some publicproxyserver or ask some friend of yours to checkback it.

It will work or repost.. with the output of
Code:
iptables -nvL & 
iptables -t nat -nvL & 
ip rou ls.
 
Old 01-10-2007, 03:23 PM   #10
siadam
LQ Newbie
 
Registered: Jan 2007
Location: WV
Distribution: Slackware/Centos4
Posts: 29

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by amitsharma_26
Siadam,
Have you heard about 'curiosity killed the cat' saying ????
I am not quite sure what you mean by that? Maybe you can elaborate. If you think I am just "playing around" for the sake of screwing off you are incorrect. I actually have a project I am trying to complete and I am unfamiliar w/Iptables. I know whatever changes I make are wiped clean if I am forced to restart the machine, so I feel I can take a few chances to see what happens.

I do greatly appreciate the help. I have learned so much from the past week after reading/reading/reading and more reading. Not sure if I feel more comfortable or not, as alot of the information has become convoluted.

I will try what you suggested and be posting back soon.

Again thanks for the help, greatly Appreciated.
 
Old 01-10-2007, 03:27 PM   #11
siadam
LQ Newbie
 
Registered: Jan 2007
Location: WV
Distribution: Slackware/Centos4
Posts: 29

Original Poster
Rep: Reputation: 15
Quote:
Try cat /proc/sys/net/ipv4/ip_forward to see if it is 1 (means it is working as a router. Otherwise we got to change it to 1.

This box is a router, thus after issuing the command it returns a 1.

Basically it is as follows.

Net cloud --> eth0(public IP) /SlackBox/ --> eth1 (private IP) --> LAN --> device I need access to.

 
Old 01-11-2007, 09:45 AM   #12
siadam
LQ Newbie
 
Registered: Jan 2007
Location: WV
Distribution: Slackware/Centos4
Posts: 29

Original Poster
Rep: Reputation: 15
Bump, this forum moves fast.
 
Old 01-12-2007, 11:20 AM   #13
siadam
LQ Newbie
 
Registered: Jan 2007
Location: WV
Distribution: Slackware/Centos4
Posts: 29

Original Poster
Rep: Reputation: 15
Quote:
iptables -nvL &
iptables -t nat -nvL &
ip rou ls.
Outputs from the following.

iptables -nvL &

iptables -t nat -nvL &

ip rou ls
Command not found.

 
Old 01-12-2007, 12:49 PM   #14
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
Quote:
Originally Posted by siadam
You are only having a single POSTROUTING (SNATing) command under table nat for internet access to your LAN.
Why didnt you run the PREROUTING command ?

Add these two iptables PREROUTING+POSTROUTING rules in your 5th post's script & run.
Code:
iptables -t nat -A PREROUTING -p tcp -d 75.111.223.188 --dport 80 -j DNAT --to-destination 192.168.x.x(webserver-ip):80
iptables -t nat -A POSTROUTING -p tcp -d 192.168.x.x(lan-webserver-ip) --dport 80 -j SNAT --to-source 192.168.x.x(firewall-box-lan-ip)
*With firewall-box-lan-ip, i mean the ip of the box on which this script would be running.

Modify the above two lines for proper ip addresses & then add them to your script. Run that script, cross check with #iptables -t nat -nvL, as you'll see one rule under PREROUTING chain & one more (in all that would make two) under POSTROUTING chain.

If you do it this way, exactly... it will work. You can only verify whether asking any friend of yours or using any public proxy servers for the working of this script.

You can also read more about NATing, iptables port forwarding @ http://amitsharma.linuxbloggers.com/portforwarding.htm
 
Old 01-12-2007, 02:11 PM   #15
siadam
LQ Newbie
 
Registered: Jan 2007
Location: WV
Distribution: Slackware/Centos4
Posts: 29

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by amitsharma_26
You are only having a single POSTROUTING (SNATing) command under table nat for internet access to your LAN.
Why didnt you run the PREROUTING command ?
I did, but not before I listed the ruleset and posted them. I wanted you to see what I am
working with. I have yet to try to see if it works. I am in the process of setting up a
sprint wifi card so I can aquire an outside ip and try it that way for testing
purposes, instead of going home and trying there.

I will keep you all updated.

Again THANKS for the help!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
AOL UK && BT Voyager 100 && Slackware 10.2 && RP-PPPoE pitt0071 Linux - Networking 3 01-17-2006 07:10 AM
(FreeBSD && Fedora Core 4 && Slackware 10.0) Filesystem Support taylor_venable *BSD 1 07-14-2005 03:24 PM
slackware 10 & iptables atari303 Linux - Networking 8 11-07-2004 03:17 AM
Samba & IPTABLES & Network Drives Oh My! logicdisaster Linux - Networking 3 06-03-2004 07:07 PM
Slackware & iptables question jim64 Linux - Networking 0 10-05-2003 11:54 AM


All times are GMT -5. The time now is 03:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration