LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-15-2003, 08:09 PM   #1
ShinySteelRobot
LQ Newbie
 
Registered: Aug 2003
Posts: 4

Rep: Reputation: 0
Trying to forward web traffic through firewall w/ IPTABLES


Please help! I've tried reading the IPTABLES man page and scoured Google, but with no luck. I'm having trouble getting port forwarding to work...I'd like requests that come in to my firewall on port 80 to be forwarded to the private web host on port 8080.

I'm certain that two or three extra lines in /etc/sysconfig/iptables will enable the functionality, but I've been unable to find the magic incantations.

I have a pretty generic home office configuration. I'm running Red Hat 8 and iptables on the firewall. The firewall has its own static IP address on an external Internet ethernet interface. It also has an internal interface to the private non-routable network (10.x.x.x). I'm using Network Address Translation to mask the private hosts behind the firewall. This is all working well.

Now I've added a web server to my private network behind the firewall. Here's an ASCII diagram of the network:
Code:
 <INTERNET>
     |
  +--+--+
  | DSL |
  |modem|
  +--+--+
     |
external static IP (eth0)
+----+-----+
| Firewall |
|   host   |
+----+-----+
internal 10.0.0.1 (eth1)
     |
  +--+--+
  | hub |
  +--+--+
     |
     +-----------------+--------- . . .
     |                 |
  10.0.0.2          10.0.0.3
+----+-------+    +----+-----+
| Web Server |    |  Other   |
|on port 8080|    |  machine |          
+------------+    +----------+
Here are my current firewall rules from /etc/sysconfig/iptables.

----------------------------------------------------
Code:
*filter

# define the user-defined 'firewall' chain
-N firewall
# accept all mail connections on any interface for Sendmail/PostFix 
# from any interface
# (note: 'mail' is defined in /etc/services, which iptables accepts)
-A firewall -p tcp -m tcp --dport mail -j ACCEPT
# accept all SSH connections from any interface
-A firewall -p tcp -m tcp --dport ssh -j ACCEPT
# accept all IMAPS connections on any interface (but not IMAP)
-A firewall -p tcp -m tcp --dport imaps -j ACCEPT 
# accept all established and related connections from any interface 
-A firewall -m state --state ESTABLISHED,RELATED -j ACCEPT
# accept all new connections as long as they are not from eth0
# (ie, accept everything except from the Internet-facing interface)
-A firewall -m state --state NEW -i ! eth0 -j ACCEPT
# block everything else (eg, block the Internet-facing interface)
-A firewall -j DROP

# jump to that chain from the INPUT and FORWARD chains
-A INPUT -j firewall
-A FORWARD  -j firewall

COMMIT

*nat
# change source addresses to EXTERNAL_IP_ADDR
-A POSTROUTING -o eth0 -j SNAT --to <my_external_ip_addr>

COMMIT
----------------------------------------------------

Many, many thanks for any help!

- Justin
 
Old 08-15-2003, 10:21 PM   #2
quest4knowledge
Member
 
Registered: Aug 2003
Distribution: gentoo
Posts: 62

Rep: Reputation: 15
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:8080

This should be what youre looking for.
 
Old 08-16-2003, 03:40 AM   #3
ShinySteelRobot
LQ Newbie
 
Registered: Aug 2003
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks for the response. It's still not working for me though. I added that line to my /etc/sysconfig/iptables file, but now I can't restore iptables:

Code:
# /etc/init.d/iptables restart
Flushing all current rules and user defined chains:        [  OK  ]
Clearing all current rules and user defined chains:        [  OK  ]
Applying iptables firewall rules: iptables-restore v1.2.6a: Unknown arg `--dport'
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
                                                           [FAILED]
Does it matter where/how you add the PREROUTING line? Does it matter that my "filter" chain drops all connections other than mail, ssh, and imaps? BTW, I have added the new line just above the other *nat* line like so (in red):

Code:
*filter

# define the user-defined 'firewall' chain
-N firewall
# accept all mail connections on any interface for Sendmail/PostFix 
# from any interface
# (note: 'mail' is defined in /etc/services, which iptables accepts)
-A firewall -p tcp -m tcp --dport mail -j ACCEPT
# accept all SSH connections from any interface
-A firewall -p tcp -m tcp --dport ssh -j ACCEPT
# accept all IMAPS connections on any interface (but not IMAP)
-A firewall -p tcp -m tcp --dport imaps -j ACCEPT 
# accept all established and related connections from any interface 
-A firewall -m state --state ESTABLISHED,RELATED -j ACCEPT
# accept all new connections as long as they are not from eth0
# (ie, accept everything except from the Internet-facing interface)
-A firewall -m state --state NEW -i ! eth0 -j ACCEPT
# block everything else (eg, block the Internet-facing interface)
-A firewall -j DROP

# jump to that chain from the INPUT and FORWARD chains
-A INPUT -j firewall
-A FORWARD  -j firewall
COMMIT

*nat
# route HTTP port 80 requests inside the firewall to the 
# internal web server at 8080
-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:8080
# change source addresses to EXTERNAL_IP_ADDR
-A POSTROUTING -o eth0 -j SNAT --to <my_external_ip_addr>

COMMIT
Again...many, many thanks for any help you can offer.
 
Old 08-16-2003, 07:26 AM   #4
Looking_Lost
Senior Member
 
Registered: Apr 2003
Location: Eire
Distribution: Slackware 12.0, OpenSuse 10.3
Posts: 1,120

Rep: Reputation: 45
# (ie, accept everything except from the Internet-facing interface)
-A firewall -m state --state NEW -i ! eth0 -j ACCEPT


Just wondered about this....how's anyone going to connect from outside of your network to any of the servers you are running? Maybe this is the problem.
 
Old 08-16-2003, 03:54 PM   #5
ShinySteelRobot
LQ Newbie
 
Registered: Aug 2003
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
how's anyone going to connect from outside of your network to any of the servers you are running? Maybe this is the problem.
Thanks, I think you're right. Unfortunately iptables still fails to load, so I can't test it yet (I'm still hoping someone has a solution for the load failure problem).

In the meantime I'll add a line like so to my "filter" chain to allow HTTP traffic.

Code:
.
.
# accept all HTTP connections on any interface
-A firewall -p tcp -m tcp --dport http -j ACCEPT 
.
.
Once again, many thanks for any help. Sorry for all the newbie questions.
 
Old 08-16-2003, 04:00 PM   #6
Looking_Lost
Senior Member
 
Registered: Apr 2003
Location: Eire
Distribution: Slackware 12.0, OpenSuse 10.3
Posts: 1,120

Rep: Reputation: 45
Try

iptables --flush

then load your rules in, Does it give you an error then?

If not save them

iptables-save > /etc/sysconfig/iptables

restart iptables

/etc/init.d/iptables restart
 
Old 08-17-2003, 05:43 PM   #7
ShinySteelRobot
LQ Newbie
 
Registered: Aug 2003
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks for all the suggestions. I found the solution at this web site:
http://kreiger.linuxgods.com/kiki/?P...with+netfilter

Now I run the following script, and it sets everything up nicely...

Code:
#!/bin/bash
# iptablesconf

echo 'Running iptables firewall configuration script'

# turn on IP forwarding
# this can be configured in /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward

# flush the existing rules
echo '*** Flushing existing iptables rules from memory ***'
iptables --flush

# define some handy variables
EXTERNAL_STATIC_IP_ADDR=...
  echo Setting EXTERNAL_STATIC_IP_ADDR=$EXTERNAL_STATIC_IP_ADDR
EXTERNAL_INTERFACE=eth0
  echo Setting EXTERNAL_INTERFACE=$EXTERNAL_INTERFACE
INTERNAL_STATIC_IP_ADDR=10.0.0.1
  echo Setting INTERNAL_STATIC_IP_ADDR=$INTERNAL_STATIC_IP_ADDR
INTERNAL_INTERFACE=eth1
  echo Setting INTERNAL_INTERFACE=$INTERNAL_INTERFACE
HTTP_SERVER_IP_ADDR=10.0.0.2
  echo Setting HTTP_SERVER_IP_ADDR=$HTTP_SERVER_IP_ADDR


echo '*** Beginning NAT configuration ***'

# Forward packets coming in from the outside on port 80 to the internal HTTP server on port 8080
echo 'Forwarding packets from outside for port 80 to the HTTP server port 8080'
iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_STATIC_IP_ADDR --dport 80 -j DNAT --to-destination $HTTP_SERVER_IP_ADDR:8080

# Make it work from the firewall itself
echo 'Forwarding port 80 packets from the firewall itself to the HTTP server port 8080'
iptables -t nat -A OUTPUT -p tcp -d $EXTERNAL_STATIC_IP_ADDR --dport 80 -j DNAT --to-destination $HTTP_SERVER_IP_ADDR:8080

# Make responses on the internal network go through the firewall
echo 'Making responses from the internal HTTP server pass back through the firewall'
iptables -t nat -A POSTROUTING -p tcp -d $HTTP_SERVER_IP_ADDR --dport 8080 -j SNAT --to-source $INTERNAL_STATIC_IP_ADDR

# Allow forwarded packets
echo 'Allowing packets destined for the HTTP server on port 8080 to be forwarded' 
iptables -A FORWARD -p tcp -d $HTTP_SERVER_IP_ADDR --dport 8080 -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED

# change source addresses to EXTERNAL_STATIC_IP_ADDR
echo 'Modifying the source address of packets to appear to be from the firewall itself'
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j SNAT --to $EXTERNAL_STATIC_IP_ADDR


# define the user-defined 'firewall' chain
echo '*** Creating user-defined "firewall" chain ***'
iptables -N firewall

# accept all mail connections on any interface for Sendmail/PostFix
# from any interface
# (note: 'mail' is defined in /etc/services, which iptables accepts)
echo 'Accepting incoming internal/external SMTP tcp traffic to pass through the firewall'
iptables -A firewall -p tcp -m tcp --dport mail -j ACCEPT

# accept all IMAPS connections on any interface (but not IMAP)
# (note: 'imaps' is defined in /etc/services, which iptables accepts)
echo 'Accepting incoming internal/external IMAPS (secure IMAP) tcp traffic to pass through the firewall'
iptables -A firewall -p tcp -m tcp --dport imaps -j ACCEPT

# accept all SSH connections from any interface
# (note: 'ssh' is defined in /etc/services, which iptables accepts)
echo 'Accepting incoming internal/external SSH tcp traffic to pass through the firewall'
iptables -A firewall -p tcp -m tcp --dport ssh -j ACCEPT

# accept all HTTP connections on any interface
# (note: 'http' is defined in /etc/services, which iptables accepts)
echo 'Accepting incoming internal/external HTTP (but not HTTPS) tcp traffic to pass through the firewall'
iptables -A firewall -p tcp -m tcp --dport http -j ACCEPT

# accept all established and related connections from any interface
echo 'Accepting incoming internal/external ESTABLISHED and RELATED (any protocol) connections to pass through the firewall'
iptables -A firewall -m state --state ESTABLISHED,RELATED -j ACCEPT

# accept all new connections as long as they are not from EXTERNAL_INTERFACE
# (ie, accept everything except from the Internet-facing interface)
echo 'Accepting incoming internal-only NEW (any protocol) connections to pass through the firewall'
iptables -A firewall -m state --state NEW -i ! $EXTERNAL_INTERFACE -j ACCEPT

# block everything else (eg, block the Internet-facing interface)
echo 'Dropping all other connection attempts (any protocol)'
iptables -A firewall -j DROP

# if we get to here, jump to the named chain (INPUT and FORWARD chains)
echo 'Jumping any remaining unmatched packets to the INPUT and FORWARD built-in chains, in case they care'
iptables -A INPUT -j firewall
iptables -A FORWARD  -j firewall

# turn on IP forwarding
# THIS IS DONE IN CONFIGURATION FILE /etc/sysctl.conf !!!
#echo 1 > /proc/sys/net/ipv4/ip_forward

# show the user the final results of what was accomplished
echo 'Finished -- Outputting verbose result of table manipulation'
echo ""
iptables -L -v -n

# now remind the user to regenerate the iptables initialization file
echo "Don't forget to save the iptables to the iptables initialization file"
echo 'with this command:'
echo "iptables-save > /etc/sysconfig/iptables"
root@bastion:/etc/sysconfig
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I forward all traffic to 10.10.0.10:80 to 10.10.0.20:8080 using IPtables? abefroman Linux - Networking 1 10-06-2005 03:19 PM
iptables forward traffic alaios Linux - Networking 1 09-28-2005 04:43 AM
Need Help In Building a Web-based Firewall Configuration Tool for Linux(RH9-iptables) eason Linux - General 1 02-21-2004 05:34 PM
use iptables to give net traffic priority to web browsers ? qwijibow Linux - Security 2 02-17-2004 08:10 AM
I need to inhibit outgoing web traffic on the firewall, and leave only Squid, How? mfeoli Linux - Networking 2 02-06-2004 09:54 AM


All times are GMT -5. The time now is 03:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration