Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I have done some lurking here and there along with ALOT of reading to no avail thus far.
Currently running a Slack 8.1 box as a firewall/email. It was in place before I arrived and has done a great job. It has webmin installed and is where I have done most/all configs up to this point. There is not a place to configure iptables so I fired up ssh and went to work.
What I would like to happen:To access an internal device from outide the lan.
The problem I have is that no matter what I do, I cannot get to it. Connection Refused!!
I am using ssh/telnet while @ work and am fine. It is a NAT configuration w/1 public ip mapped to many private ip's inside.
While on the LAN, you can access the device via a web browser, 192.168.xxx.xxx w/o entering a port number. So I am going to assume it is port 80.
Have you heard about 'curiosity killed the cat' saying ????
Let me clarify few point which may help you understanding the whole idea.
1. In iptables we have INPUT, OUTPUT chains for LOCAL BOX related firewalling & PREROUTING, POSTROUTING, FORWARD chain for NATing related packets.
2. Whenever anything which is being forwarded(NATed) to some other box(not your local, LAN hosted or to any other) it has nothing to do with INPUT & OUTPUT Chain.
3. RULES LISTING: iptables -t nat -nvL // will list you your nating rules.
& iptables -nvL // will list your INPUT,OUTPUT & FORWARD rules.
4. There's a FORWARD chain in iptables which stand b/w PREROUTING & POSTROUTING & you LAN. So you should always make sure that there's nothing in FORWARD chain tht's blocking your NATed packets to traverse through.
5. Above all you should also make sure that you make your linux box is actually acting as a ROUTER/IP_FORWARDER. Try cat /proc/sys/net/ipv4/ip_forward to see if it is 1 (means it is working as a router. Otherwise we got to change it to 1.
6. Nated packets always find their way back on their own. So we are not supposed to specify a Reverse DNating (SNATing) while we NAT packets.
If making your LAN hosted webserver available to internet is the only concern then follow these steps;
1. For flushing all the rules (first rule flushes rules from INPUT,OUTPUT & FORWARD Chain, Second rule flushes rules from table nat & third rule flushes rules from table magle)
iptables -t nat -F
iptables -t mangle -F
2. echo 1 > /proc/sys/net/ipv4/ip_forward
2. iptables -t nat -A PREROUTING -p tcp -d <YOUR PUBLIC IP> --dport 80 -j DNAT --to-destination 192.168.x.x:80
3. Make sure that 192.168.x.x box should set this FIREWALL box as its gateway.
Thats it. Try Now.... Please be aware that you cannot checkback the implementation of these rules browsing from this box only; Either you got to use some publicproxyserver or ask some friend of yours to checkback it.
Have you heard about 'curiosity killed the cat' saying ????
I am not quite sure what you mean by that? Maybe you can elaborate. If you think I am just "playing around" for the sake of screwing off you are incorrect. I actually have a project I am trying to complete and I am unfamiliar w/Iptables. I know whatever changes I make are wiped clean if I am forced to restart the machine, so I feel I can take a few chances to see what happens.
I do greatly appreciate the help. I have learned so much from the past week after reading/reading/reading and more reading. Not sure if I feel more comfortable or not, as alot of the information has become convoluted.
I will try what you suggested and be posting back soon.
*With firewall-box-lan-ip, i mean the ip of the box on which this script would be running.
Modify the above two lines for proper ip addresses & then add them to your script. Run that script, cross check with #iptables -t nat -nvL, as you'll see one rule under PREROUTING chain & one more (in all that would make two) under POSTROUTING chain.
If you do it this way, exactly... it will work. You can only verify whether asking any friend of yours or using any public proxy servers for the working of this script.
You are only having a single POSTROUTING (SNATing) command under table nat for internet access to your LAN.
Why didnt you run the PREROUTING command ?
I did, but not before I listed the ruleset and posted them. I wanted you to see what I am
working with. I have yet to try to see if it works. I am in the process of setting up a
sprint wifi card so I can aquire an outside ip and try it that way for testing
purposes, instead of going home and trying there.