iptables Problem

angel_hva · 08-08-2005, 01:35 AM

Hi everybody,

I'm learning LINUX and trying to set up a firewall server. I configure a LAN which has 3 computers: Middle computer (LINUX OS, firewall server) has 2 Ethenet cards and assigned IPAddresses 10.9.9.1, 10.7.7.1. This computer connects to 2 computer using Ethenet cards --> 2 computers have IPAddresses: 10.9.9.2 and 10.7.7.2

Let say 10.7.7.2 pretends to be Internet and 10.9.9.2 is my Apache Web Server (DMZ). From 10.7.7.2, I open a browser and type 10.7.7.1 --> I expect to see Apache page which belongs to 10.9.9.2. I configured iptables as below:

Code:

iptables -t nat -A PREROUTING -p tcp -d 10.7.7.1 --dport http -j DNAT --to-destination 10.9.9.2
iptables -t nat -A POSTROUTING -p tcp -d 10.9.9.2 --dport http -j SNAT --to-source 10.9.9.1
iptables -t nat -A OUTPUT -p tcp -d 10.9.9.1 --dport http -j DNAT --to-destination 10.9.9.2

What's wrong with my configuration. It drove me crazy more than a week and I dont know what I have to do, just a simple firewall plz.

marvin00001 · 08-08-2005, 02:13 AM

im sure you would have to have rules for forwarding in the script so that the kernel
knows to allow forwarding

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -A FORWARD -i eth0 -j ACCEPT

Im no iptables expert but from what i have read it looks like you'll need those policies
set right at the top of the script

Hope this help's

Also perhaps try using a firewall script generator eg. easyfwgen

angel_hva · 08-09-2005, 05:39 AM

Thanks, in fact I don't have any DENY rule in my iptables and I dont know what the reason is? Any body help? What was wrong with my IP Addresses?

Matir · 08-09-2005, 11:16 PM

Are all the computers on the same physical network? Please post the output of 'ifconfig'.

angel_hva · 08-12-2005, 05:19 AM

ifconfig output:

eth1 Link encap:Ethernet HWaddr 00:60:08:11

2:8E
inet addr:10.9.9.1 Bcast:10.255.255.255 Mask:255.255.255.0
inet6 addr: fe80::260:8ff:fe11:d28e/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:182 errors:0 dropped:0 overruns:1 frame:0
TX packets:13 errors:9 dropped:0 overruns:11 carrier:11
collisions:0 txqueuelen:1000
RX bytes:16877 (16.4 KiB) TX bytes:2316 (2.2 KiB)
Interrupt:11 Base address:0xdf00

eth2 Link encap:Ethernet HWaddr 00:60:97:BC:02:80
inet addr:10.32.17.111 Bcast:10.255.255.255 Mask:255.255.255.0
inet6 addr: fe80::260:97ff:febc:280/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10263 errors:0 dropped:0 overruns:0 frame:0
TX packets:165 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9578150 (9.1 MiB) TX bytes:22779 (22.2 KiB)
Interrupt:9 Base address:0xdf40

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6565 errors:0 dropped:0 overruns:0 frame:0
TX packets:6565 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8333289 (7.9 MiB) TX bytes:8333289 (7.9 MiB)

angel_hva · 08-12-2005, 05:21 AM

ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:0D:56:5E:A9:7E
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:12
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:2820 (2.7 KiB)
Interrupt:3

eth1 Link encap:Ethernet HWaddr 00:60:08:11

2:8E
inet addr:10.9.9.1 Bcast:10.255.255.255 Mask:255.255.255.0
inet6 addr: fe80::260:8ff:fe11:d28e/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:182 errors:0 dropped:0 overruns:1 frame:0
TX packets:13 errors:9 dropped:0 overruns:11 carrier:11
collisions:0 txqueuelen:1000
RX bytes:16877 (16.4 KiB) TX bytes:2316 (2.2 KiB)
Interrupt:11 Base address:0xdf00

eth2 Link encap:Ethernet HWaddr 00:60:97:BC:02:80
inet addr:10.32.17.111 Bcast:10.255.255.255 Mask:255.255.255.0
inet6 addr: fe80::260:97ff:febc:280/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10319 errors:0 dropped:0 overruns:0 frame:0
TX packets:166 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9634519 (9.1 MiB) TX bytes:22857 (22.3 KiB)
Interrupt:9 Base address:0xdf40

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6565 errors:0 dropped:0 overruns:0 frame:0
TX packets:6565 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8333289 (7.9 MiB) TX bytes:8333289 (7.9 MiB)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

angel_hva · 08-12-2005, 05:23 AM

Here 10.32.17.111 equivalent with 10.7.7.1 as I said and I have a computer 10.32.17.8 equivalent to 10.7.7.2

angel_hva · 08-12-2005, 05:31 AM

By the way, if I ping from 10.7.7.2:
ping 10.9.9.2 => unreachable

I'm sure I dont have any deny rule in my iptables (INPUT, OUTPUT, FORWARD)

Matir · 08-12-2005, 09:02 AM

It looks like it might be a kernel routing table issue. What's the output of route?

angel_hva · 08-18-2005, 06:47 AM

Can you tell me in detail what should I do? Thanks.

Matir · 08-18-2005, 12:22 PM

Type 'route' in the console and paste the output here.

angel_hva · 08-19-2005, 02:20 AM

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.9.9.0 * 255.255.255.0 U 0 0 0 eth1
10.32.17.0 * 255.255.255.0 U 0 0 0 eth2
169.254.0.0 * 255.255.0.0 U 0 0 0 lo

angel_hva · 08-26-2005, 02:11 AM

Matir, still with me?

Anybody help?