LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-07-2003, 03:58 PM   #1
JawjLindo
LQ Newbie
 
Registered: Nov 2003
Posts: 2

Rep: Reputation: 0
iptables does not allow me to access internal web server.


I have iptables set up on my RH9 firewall. Let's say my external IP is 444.333.222.111 and my internal network is 10.1.1.0/255.255.255.0 (eth0 is internal and eth1 is external). My Web server is internal and is 10.1.1.1. I have a DNS "A" record for www to 444.333.222.111. If I try to go to www from an internal machine it does not work. I am attaching the iptables script. Any ideas how I could forward these packets to the internal server and any idea where it is being dropped would greatly help.
Many thanks in advance.

-----Start of IPTABLES output

# Generated by iptables-save v1.2.7a on Sat Oct 25 21:05:52 2003
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.1.1.0/255.255.255.0 -o eth1 -j MASQUERADE
-A PREROUTING -p tcp -m tcp -i eth1 --dport 25 -j DNAT --to-destination 10.1.1.1:25
-A PREROUTING -p tcp -m tcp -i eth1 --dport 53 -j DNAT --to-destination 10.1.1.1:53
-A PREROUTING -p udp -i eth1 --dport 53 -j DNAT --to-destination 10.1.1.1:53
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j DNAT --to-destination 10.1.1.1:80
-A PREROUTING -p tcp -m tcp -i eth1 --dport 110 -j DNAT --to-destination 10.1.1.1:110
-A PREROUTING -p tcp -m tcp -i eth1 --dport 443 -j DNAT --to-destination 10.1.1.1:443
-A PREROUTING -p udp -i eth1 --dport 500 -j DNAT --to-destination 10.1.1.1:500
-A PREROUTING -p tcp -m tcp -i eth1 --dport 1723 -j DNAT --to-destination 10.1.1.1:1723
-A PREROUTING -p tcp -m tcp -i eth1 --dport 3389 -j DNAT --to-destination 10.1.1.1:3389
-A PREROUTING -p gre -i eth1 -j DNAT --to-destination 10.1.1.1
-A PREROUTING -p esp -i eth1 -j DNAT --to-destination 10.1.1.1
COMMIT
# Completed on Sat Oct 25 21:05:52 2003
# Generated by iptables-save v1.2.7a on Sat Oct 25 21:05:52 2003
*filter
:PAROLE - [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:PUB_IN - [0:0]
:INT_IN - [0:0]
:INT_OUT - [0:0]
:FORWARD DROP [0:0]
:PUB_OUT - [0:0]
-A INPUT -p tcp -d 127.0.0.0/255.0.0.0 ! -i lo -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -s 224.0.0.0/240.0.0.0 -j DROP
-A INPUT -d 10.1.1.0/255.255.255.0 -i eth1 -j DROP
-A INPUT -s 10.1.1.0/255.255.255.0 -i eth1 -j DROP
-A INPUT -i eth1 -j PUB_IN
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp -m state --dport 25 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p tcp -m tcp -m state --dport 53 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp -m state --dport 80 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p tcp -m tcp -m state --dport 110 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p tcp -m tcp -m state --dport 443 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p udp -m udp --dport 500 -j ACCEPT
-A FORWARD -p tcp -m tcp -m state --dport 1723 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p tcp -m tcp -m state --dport 3389 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p gre -j ACCEPT
-A FORWARD -p esp -j ACCEPT
-A FORWARD -p tcp -m tcp -s 10.1.1.0/255.255.255.0 -d 0.0.0.255/0.0.0.255 -o eth1 --dport 137:139 -j DROP
-A FORWARD -p udp -m udp -s 10.1.1.0/255.255.255.0 -d 0.0.0.255/0.0.0.255 -o eth1 --dport 137:139 -j DROP
-A OUTPUT -o eth1 -j PUB_OUT
-A INT_IN -p icmp -j ACCEPT
-A INT_IN -j DROP
-A INT_OUT -p icmp -j ACCEPT
-A INT_OUT -j ACCEPT
-A PAROLE -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 11111 -j PAROLE
-A PUB_IN -p tcp -m tcp -m state -m limit --dport 23 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp -m state -m limit --dport 21 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp -m state -m limit --dport 143 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp -m state -m limit --dport 110 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp -m state -m limit --dport 79 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp -m state -m limit --dport 111 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp -m state -m limit --dport 512 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp -m state -m limit --dport 513 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp -m state -m limit --dport 98 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp -m state -m limit --dport 22 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit"
-A PUB_IN -p udp -m udp -m state -m limit --dport 31337 --limit 5/sec --limit-burst 8 --state INVALID,NEW -j LOG --log-prefix "audit"
-A PUB_IN -p icmp -j DROP
-A PUB_IN -j DROP
-A PUB_OUT -j ACCEPT
-A FORWARD -s 10.1.1.0/255.255.255.0 -o eth1 -j ACCEPT
-A FORWARD -j DROP
COMMIT
# Completed on Sat Oct 25 21:05:52 2003
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed


---- End of IPTABLES output.

Last edited by JawjLindo; 11-07-2003 at 04:03 PM.
 
Old 11-10-2003, 02:09 PM   #2
warath
Member
 
Registered: Oct 2001
Location: Ontario, Canada
Distribution: Redhat 9
Posts: 43

Rep: Reputation: 15
Try removing this line
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j DNAT --to-destination 10.1.1.1:80
and setting your webserver to listen on all available IPs.
 
Old 11-10-2003, 03:23 PM   #3
JawjLindo
LQ Newbie
 
Registered: Nov 2003
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks for your reply.

I cannot remove this line because I am doing port forwarding from the Internet (eth1) to my internal Web server (this server is not the same box as my RH9 box).

I am not having any issues forwarding those packets inbound from eth1. The packet drops are occuring when I use an internal client machine on the 10.1.1.0/255.255.255.0 network that uses this RH9 box as a default gateway. I would prefer to not have to change the URL in the browser to 10.1.1.1 when I want to access the server from inside the firewall.

I hope this clears it up a little more.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[IPTABLES] open ext access to web server on GW server kozaki Linux - Networking 3 08-27-2005 06:11 PM
IPTABLES How to access to web server on gateway from LAN? kozaki Linux - Networking 4 08-26-2005 12:27 PM
Access internal web server by name LoRd Of XAoS Linux - Software 2 07-02-2004 04:56 PM
Can't browse internal web server using iptables iel Linux - Networking 7 03-25-2004 01:56 AM
IPtables - cannot access internal webserver tantric Linux - Security 3 03-17-2004 03:20 AM


All times are GMT -5. The time now is 10:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration