Website not accessible from the internet
 

I have a website configured for port 90 that is visible from localhost, but when I try to browse to it from the internet its not available.

However, when I disable iptables it is visible.

the only complication is that the linux machine is a vmware host, so the iptables entries are configured to forward the port 80 packets to the windows machine on the vmware guest.

This is what I have in the iptables file (ip addresses modified with XXX):

*filter
:INPUT ACCEPT [2737684:2280789513]
:FORWARD ACCEPT [1431:642663]
:OUTPUT ACCEPT [25858:20445722]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Thu Jul 23 17:22:39 2009
# Generated by iptables-save v1.3.5 on Thu Jul 23 17:22:39 2009
*nat
:PREROUTING ACCEPT [2683831:174226130]
-A POSTROUTING -o eth0 -j MASQUERADE
:POSTROUTING ACCEPT [17607:1342814]
:OUTPUT ACCEPT [17532:1338442]
-A PREROUTING -d xxx.38.88.xxx -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination xxx.16.244.xxx:80
-A PREROUTING -d xxx.38.88.xxx -i eth0 -p tcp -m tcp --dport 81 -j DNAT --to-destination xxx.38.88.xxx:8333
COMMIT

Does anyone know how I get the iptables configured to direct the packets to the web server on port 90 of xxx.38.88.xxx?

This thread might help you, your problem seems similar:

http://www.linuxquestions.org/questi...resses-739954/

A small difference
 

Thanks for the link. Unfortunately I could not get it to work. Your previous post refers to multiple vms. My problem is that there is a website on the vm and a website on the host machine.

I tried:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 90 -d xxx.38.88.172 -j DNAT --to-dest xxx.38.88.172

to direct requests on port 90 to the host machine, but no joy

I guess I'm not clear on your setup, then. Why do you have web servers running on both host and guest? Which one do you want the internet to be able to access? It would also help if you put full IP's in your descriptions, just replace the first octet of each with '10.' if you don't want to show the real IPs.

More details
 

OK - thanks for the reply..

So I have a windows web server on the VM guest.
The VMware host is a Linux box.
The external ip address exposed to the internet is 456.38.88.172 on eth0

The internal ip address of the vm guest is 123.16.244.2

The web server on the windows vm is set to listen on port 80, and the web server on the linux host is set to listen on port 90.

with these settings the windows web server on the VM guest is accessible from the internet, but the apache web server on the linux host is only accessible locally, or from the windows server, but not from the internet.

I thought the entry:
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 456.38.88.172
which seems superfluous to me would do the trick but to no avail.

I would be grateful of you could see my error.

I have pasted the entire contents of the iptables file below.

# Generated by iptables-save v1.3.5 on Sat Jul 25 07:09:03 2009
*filter
:INPUT ACCEPT [9555:1468540]
:FORWARD ACCEPT [27:4598]
:OUTPUT ACCEPT [118978:6278698]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 123.16.244.2 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d 456.38.88.172 -p tcp -m tcp --dport 90 -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 123.16.244.2 -o eth0 -p tcp -m multiport --dports 22,53 -m state --state NEW -j ACCEPT
-A OUTPUT -s 123.16.244.2 -o eth0 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
COMMIT
# Completed on Sat Jul 25 07:09:03 2009
# Generated by iptables-save v1.3.5 on Sat Jul 25 07:09:03 2009
*nat
:PREROUTING ACCEPT [160589:10376251]
:POSTROUTING ACCEPT [6:352]
:OUTPUT ACCEPT [709:43196]
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 123.16.244.2:80
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 81 -j DNAT --to-destination 456.38.88.172:8333
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 456.38.88.172:90
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 123.16.244.2
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 456.38.88.172
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 123.16.244.2 -o eth0 -j SNAT --to-source 456.38.88.172
-A POSTROUTING -s 456.38.88.172 -o eth0 -j SNAT --to-source 456.38.88.172
COMMIT
# Completed on Sat Jul 25 07:09:03 2009

Sounds like your linux host has one interface already exposed to the internet (eth0), so I think the issue is there are too many NAT rules. You don't need to do any NAT at all to allow access to your linux webserver. So get rid of these two rules:

then the one rule you already have:

...will allow the inbound requests to port 90 just fine (and the ESTABLISHED,RELATED match will handle the connections once they get going).

Also, get rid of this rule:

since outbound SNAT from your windows vm is handled by the very next SNAT rule. And you can also get rid of this one:

Since it just does SNAT to the same source IP.

When you get this working, change at least your default INPUT policy to DROP. If this is also acting as a firewall for internal hosts (i.e. if it is forwarding traffic to other physical hosts), the default policy on the FORWARD chain should also be DROP. And if you leave your OUTPUT policy as ACCEPT, then you don't need any of the OUTPUT chain state rules. You want to be precise in the traffic you allow, and drop everything else - just get your setup working first before you do that. I have some commented iptables scripts that might be a good reference for you, see http://blog.unixlore.net/2006/03/lin...l-scripts.html .

If this doesn't work, I would verify that inbound port 90 traffic is actually getting to your linux box, using tcpdump.

tcpdump
 

Thanks for your help with this.
Noluck with the web access on port 90.
I tried tcpdump - on port 90 no packets captured

Then I tried with port 80, and the packets come through.

Now I'm wondering whether the hosting company is blocking port 90 before the packets reach my server. What do you think, or is there some other approach I should adopt?

If you aren't even seeing port 90 traffic get to your server, then it's a safe bet something upstream is blocking that port. I would try a port likely to be open, like 443, for example (assuming you have no need for SSL), or 8080 might be better.

port 8080 is also blocked. port 443 is open though and I can now get to the web server.

Thanks for all your help and patience