iptables does not allow me to access internal web server.
I have iptables set up on my RH9 firewall. Let's say my external IP is 444.333.222.111 and my internal network is 10.1.1.0/255.255.255.0 (eth0 is internal and eth1 is external). My Web server is internal and is 10.1.1.1. I have a DNS "A" record for www to 444.333.222.111. If I try to go to www from an internal machine it does not work. I am attaching the iptables script. Any ideas how I could forward these packets to the internal server and any idea where it is being dropped would greatly help.
Many thanks in advance. -----Start of IPTABLES output # Generated by iptables-save v1.2.7a on Sat Oct 25 21:05:52 2003 *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.1.1.0/255.255.255.0 -o eth1 -j MASQUERADE -A PREROUTING -p tcp -m tcp -i eth1 --dport 25 -j DNAT --to-destination 10.1.1.1:25 -A PREROUTING -p tcp -m tcp -i eth1 --dport 53 -j DNAT --to-destination 10.1.1.1:53 -A PREROUTING -p udp -i eth1 --dport 53 -j DNAT --to-destination 10.1.1.1:53 -A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j DNAT --to-destination 10.1.1.1:80 -A PREROUTING -p tcp -m tcp -i eth1 --dport 110 -j DNAT --to-destination 10.1.1.1:110 -A PREROUTING -p tcp -m tcp -i eth1 --dport 443 -j DNAT --to-destination 10.1.1.1:443 -A PREROUTING -p udp -i eth1 --dport 500 -j DNAT --to-destination 10.1.1.1:500 -A PREROUTING -p tcp -m tcp -i eth1 --dport 1723 -j DNAT --to-destination 10.1.1.1:1723 -A PREROUTING -p tcp -m tcp -i eth1 --dport 3389 -j DNAT --to-destination 10.1.1.1:3389 -A PREROUTING -p gre -i eth1 -j DNAT --to-destination 10.1.1.1 -A PREROUTING -p esp -i eth1 -j DNAT --to-destination 10.1.1.1 COMMIT # Completed on Sat Oct 25 21:05:52 2003 # Generated by iptables-save v1.2.7a on Sat Oct 25 21:05:52 2003 *filter :PAROLE - [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] :PUB_IN - [0:0] :INT_IN - [0:0] :INT_OUT - [0:0] :FORWARD DROP [0:0] :PUB_OUT - [0:0] -A INPUT -p tcp -d 127.0.0.0/255.0.0.0 ! -i lo -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -s 224.0.0.0/240.0.0.0 -j DROP -A INPUT -d 10.1.1.0/255.255.255.0 -i eth1 -j DROP -A INPUT -s 10.1.1.0/255.255.255.0 -i eth1 -j DROP -A INPUT -i eth1 -j PUB_IN -A INPUT -j DROP -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp -m tcp -m state --dport 25 --state NEW,ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p tcp -m tcp -m state --dport 53 --state NEW,ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p udp -m udp --dport 53 -j ACCEPT -A FORWARD -p tcp -m tcp -m state --dport 80 --state NEW,ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p tcp -m tcp -m state --dport 110 --state NEW,ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p tcp -m tcp -m state --dport 443 --state NEW,ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p udp -m udp --dport 500 -j ACCEPT -A FORWARD -p tcp -m tcp -m state --dport 1723 --state NEW,ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p tcp -m tcp -m state --dport 3389 --state NEW,ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p gre -j ACCEPT -A FORWARD -p esp -j ACCEPT -A FORWARD -p tcp -m tcp -s 10.1.1.0/255.255.255.0 -d 0.0.0.255/0.0.0.255 -o eth1 --dport 137:139 -j DROP -A FORWARD -p udp -m udp -s 10.1.1.0/255.255.255.0 -d 0.0.0.255/0.0.0.255 -o eth1 --dport 137:139 -j DROP -A OUTPUT -o eth1 -j PUB_OUT -A INT_IN -p icmp -j ACCEPT -A INT_IN -j DROP -A INT_OUT -p icmp -j ACCEPT -A INT_OUT -j ACCEPT -A PAROLE -j ACCEPT -A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT -A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT -A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT -A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 11111 -j PAROLE -A PUB_IN -p tcp -m tcp -m state -m limit --dport 23 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit" -A PUB_IN -p tcp -m tcp -m state -m limit --dport 21 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit" -A PUB_IN -p tcp -m tcp -m state -m limit --dport 143 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit" -A PUB_IN -p tcp -m tcp -m state -m limit --dport 110 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit" -A PUB_IN -p tcp -m tcp -m state -m limit --dport 79 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit" -A PUB_IN -p tcp -m tcp -m state -m limit --dport 111 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit" -A PUB_IN -p tcp -m tcp -m state -m limit --dport 512 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit" -A PUB_IN -p tcp -m tcp -m state -m limit --dport 513 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit" -A PUB_IN -p tcp -m tcp -m state -m limit --dport 98 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit" -A PUB_IN -p tcp -m tcp -m state -m limit --dport 22 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit" -A PUB_IN -p udp -m udp -m state -m limit --dport 31337 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit" -A PUB_IN -p icmp -j DROP -A PUB_IN -j DROP -A PUB_OUT -j ACCEPT -A FORWARD -s 10.1.1.0/255.255.255.0 -o eth1 -j ACCEPT -A FORWARD -j DROP COMMIT # Completed on Sat Oct 25 21:05:52 2003 # Generated by webmin *mangle :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed ---- End of IPTABLES output. |
Try removing this line
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j DNAT --to-destination 10.1.1.1:80 and setting your webserver to listen on all available IPs. |
Thanks for your reply.
I cannot remove this line because I am doing port forwarding from the Internet (eth1) to my internal Web server (this server is not the same box as my RH9 box). I am not having any issues forwarding those packets inbound from eth1. The packet drops are occuring when I use an internal client machine on the 10.1.1.0/255.255.255.0 network that uses this RH9 box as a default gateway. I would prefer to not have to change the URL in the browser to 10.1.1.1 when I want to access the server from inside the firewall. I hope this clears it up a little more. |
All times are GMT -5. The time now is 01:53 PM. |