iptables issue? want to allow external access to a webserver

moekad · 11-17-2009, 05:30 PM

hey need help
i got:
modem => linux box => client
modem have pulic ip PPPoe, connect to linux box with dhcp 192.168.1.0/24
and another lan 192.168.0.0/24 to client:
i want external network to have access to my private network i use LAN:
/sbin/iptables -t nat -A PREROUTING -p tcp -j DNAT --to-destination 192.168.1.66:80
/sbin/iptables -t nat -A POSTROUTING -p tcp -j SNAT --to-source $REAL_IP:80

but it won't work why?
i did a webserver and i want outside network to open my website! why didn't work? what's wrong? thanks
TIPS: internal network it work but external network it didn't work any issue plz ?
Thx

fotoguy · 11-18-2009, 03:48 AM

First of all, there could be any number of issues that could be causing this, have you turned ip-forwarding on in the kernel? you will also need to have some FORWARD chain rules after you have PREROUTING/POSTROUTING rules to push the data between the network cards. Also Could you post your full iptables script as well.

esaym · 11-18-2009, 07:54 AM

I would try installing shorewall. It really helps make managing iptables stuff easy

rupertwh · 11-18-2009, 08:14 AM

Quote:

Originally Posted by moekad

modem => linux box => client
modem have pulic ip PPPoe, connect to linux box with dhcp 192.168.1.0/24
and another lan 192.168.0.0/24 to client

That sounds as if your modem is a router rather than a modem. I.e. your network looks like:

Code:

(Uplink)<--PPPoE--> Modem <--192.168.1.0/24 --> Linux <--192.168.0.0/24 --> Client

In that case you would have to do port forwarding both on your modem and your linux box.

As to your iptables statement: Your are currently forwarding *any* tcp traffic from *any* interface to your client.
You'd rather want something like:

Code:

iptables -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 80 -j DNAT --to-destination 192.168.1.66:80

BTW that forwarding IP doesn't fit to your network description. So maybe you could clarify that first.

moekad · 11-18-2009, 04:10 PM

Quote:

Originally Posted by fotoguy

First of all, there could be any number of issues that could be causing this, have you turned port-forwarding on in the kernel? you will also need to have some FORWARD chain rules after you have PREROUTING/POSTROUTING rules to push the data between the network cards. Also Could you post your full iptables script as well.

hey thans
yes i did echo 1 > /proc/sys/net/ipv4/ip_forward
u've said port-forwarding ! how i can turn it on?
i did :
iptables -t nat -A PREROUTING -d $REAL_IP -p tcp --dport 80 -j DNAT --to-destination 192.168.1.66:80
iptables -t nat -A POSTROUTING -p tcp --sport 80 -j SNAT --to-source $REAL_IP:80
iptables -A FORWARD -i eth1 -o eth3 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth3 -o eth1 -p tcp --sport 80 -j ACCEPT

Thx for your help alot =)

fotoguy · 11-19-2009, 02:51 AM

Quote:

Originally Posted by moekad

u've said port-forwarding ! how i can turn it on?

oops! sorry that was a error on my end, I meant ip-forwarding on in the kernel, which you say you have done with:

Quote:

echo 1 > /proc/sys/net/ipv4/ip_forward

moekad · 11-19-2009, 10:42 AM

Quote:

Originally Posted by fotoguy

oops! sorry that was a error on my end, I meant ip-forwarding on in the kernel, which you say you have done with:

ah ok
so any clue how i can fix it then ?
Thx

win32sux · 11-19-2009, 11:46 AM

Quote:

Originally Posted by moekad

iptables -t nat -A PREROUTING -d $REAL_IP -p tcp --dport 80 -j DNAT --to-destination 192.168.1.66:80
iptables -t nat -A POSTROUTING -p tcp --sport 80 -j SNAT --to-source $REAL_IP:80
iptables -A FORWARD -i eth1 -o eth3 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth3 -o eth1 -p tcp --sport 80 -j ACCEPT

The only strange thing I see here is the fact that you're not specifying the interfaces in your PRE/POSTROUTING rules. This would cause failure, but only under certain circumstances. You seem to be experiencing total failure, so that's probably not the cause. Still, try this cleaned up set of rules:

Code:

iptables -P FORWARD DROP

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE \
-d 192.168.1.66 --dport 80 -m state --state NEW -j ACCEPT

iptables -A FORWARD -j LOG --log-prefix "FORWARD DROP: "

iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE -d $WAN_IP --dport 80 \
-j DNAT --to-destination 192.168.1.66

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source $WAN_IP

If it doesn't work please post the log messages generated, as well as the output from these commands:

Code:

iptables -nvL

Code:

iptables -nvL -t nat

Code:

cat /proc/sys/net/ipv4/ip_forward

We should be able to properly diagnose the problem with that information. If you aren't getting any log messages when the connection attempts fail then, as mentioned by rupertwh, you'll need to confirm that you don't need to do port-forwarding on the device your WAN interface is connected to.

moekad · 11-19-2009, 09:12 PM

Quote:

Originally Posted by win32sux

The only strange thing I see here is the fact that you're not specifying the interfaces in your PRE/POSTROUTING rules. This would cause failure, but only under certain circumstances. You seem to be experiencing total failure, so that's probably not the cause. Still, try this cleaned up set of rules:

Code:

iptables -P FORWARD DROP

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE \
-d 192.168.1.66 --dport 80 -m state --state NEW -j ACCEPT

iptables -A FORWARD -j LOG --log-prefix "FORWARD DROP: "

iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE -d $WAN_IP --dport 80 \
-j DNAT --to-destination 192.168.1.66

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source $WAN_IP

If it doesn't work please post the log messages generated, as well as the output from these commands:

Code:

iptables -nvL

Code:

iptables -nvL -t nat

Code:

cat /proc/sys/net/ipv4/ip_forward

We should be able to properly diagnose the problem with that information. If you aren't getting any log messages when the connection attempts fail then, as mentioned by rupertwh, you'll need to confirm that you don't need to do port-forwarding on the device your WAN interface is connected to.

iptables Config: (INPUT OUTPUT FORWARD were Dropped and i try them as accept trying to resolv same)
//////////////////
# Generated by iptables-save v1.4.1.1 on Fri Nov 20 04:10:19 2009
*filter
:INPUT ACCEPT [6:468]
:FORWARD DROP [1968:95099]
:OUTPUT ACCEPT [17:14768]
-A INPUT -d 192.168.1.66/32 -p udp -m comment --comment "Allow local to traceroute" -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.26/32 -d 192.168.0.1/32 -p tcp -m tcp --dport 3128 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 127.0.0.1/32 -j ACCEPT
-A INPUT -d 192.168.1.66/32 -i eth3 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "DNS Port Inciming on Interface Eth3 local Connection" -j ACCEPT
-A INPUT -d 192.168.1.66/32 -i eth3 -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -m comment --comment "HTTP Port Inciming on Interface Eth3 local Connection" -j ACCEPT
-A INPUT -d 192.168.1.66/32 -i eth3 -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -m comment --comment "Incoming to SSL/HTTPS Traffic with outgoing Interface Eth3 Local" -j ACCEPT
-A INPUT -d 192.168.1.66/32 -i eth3 -p tcp -m tcp --sport 1863 -m state --state RELATED,ESTABLISHED -m comment --comment "Incoming to MSN Traffic with outgoing Interface Eth3 Local" -j ACCEPT
-A INPUT -s 192.168.0.26/32 -d 192.168.0.1/32 -p tcp -m comment --comment "SSH" -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.26/32 -d 192.168.0.1/32 -i eth1 -p icmp -m icmp --icmp-type 8 -m comment --comment "ICMP Request from 192.168.0.26" -j ACCEPT
-A INPUT -s 192.168.0.26/32 -d 192.168.0.1/32 -i eth1 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.26/32 -d 192.168.1.66/32 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.26/32 -p icmp -j ACCEPT
-A INPUT -p icmp -m comment --comment "allow Local to ping sites" -j ACCEPT
-A INPUT -s 192.168.1.254/32 -d 192.168.1.66/32 -p tcp -m tcp --sport 23 -j ACCEPT
-A FORWARD -s 192.168.0.26/32 -i eth1 -o eth3 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.26/32 -i eth3 -o eth1 -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.26/32 -i eth1 -o eth3 -p tcp -m tcp --dport 1863 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "MSN" -j ACCEPT
-A FORWARD -d 192.168.0.26/32 -i eth3 -o eth1 -p tcp -m tcp --sport 1863 -m state --state RELATED,ESTABLISHED -m comment --comment "MSN" -j ACCEPT
-A FORWARD -s 192.168.0.26/32 -i eth1 -o eth3 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "HTTPS/SSL" -j ACCEPT
-A FORWARD -d 192.168.0.26/32 -i eth3 -o eth1 -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -m comment --comment "HTTPS/SSL" -j ACCEPT
-A FORWARD -s 192.168.0.26/32 -i eth1 -o eth3 -p tcp -m tcp --dport 6667 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "mIRC" -j ACCEPT
-A FORWARD -d 192.168.0.26/32 -i eth3 -o eth1 -p tcp -m tcp --sport 6667 -m state --state RELATED,ESTABLISHED -m comment --comment "mIRC" -j ACCEPT
-A FORWARD -s 192.168.0.26/32 -i eth1 -o eth3 -p tcp -m multiport --dports 20,21 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "FTP" -j ACCEPT
-A FORWARD -s 192.168.0.26/32 -i eth3 -o eth1 -p tcp -m multiport --sports 20,21 -m state --state RELATED,ESTABLISHED -m comment --comment "FTP" -j ACCEPT
-A FORWARD -s 192.168.0.26/32 -i eth1 -o eth3 -p tcp -m multiport --dports 5050,5100,5060 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Consequently:Yahoo Port,Yahoo Cam,Yahoo SIP voice" -j ACCEPT
-A FORWARD -d 192.168.0.26/32 -i eth3 -o eth1 -p tcp -m multiport --sports 5050,5100,5060 -m state --state RELATED,ESTABLISHED -m comment --comment "Consequently:Yahoo Port,Yahoo Cam,Yahoo SIP voice" -j ACCEPT
-A FORWARD -s 192.168.0.26/32 -i eth1 -o eth3 -p tcp -m multiport --dports 9000,9010 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "HOTMAIL CAM" -j ACCEPT
-A FORWARD -d 192.168.0.26/32 -i eth3 -o eth1 -p tcp -m multiport --sports 9000,9010 -m state --state RELATED,ESTABLISHED -m comment --comment "HOTMAIL CAM" -j ACCEPT
-A FORWARD -s 192.168.0.26/32 -i eth1 -o eth3 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "SSH" -j ACCEPT
-A FORWARD -d 192.168.0.26/32 -i eth3 -o eth1 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -m comment --comment "SSH" -j ACCEPT
-A FORWARD -s 192.168.0.26/32 -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.26/32 -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.66/32 -i eth3 -o eth1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD DROP: "
-A OUTPUT -s 192.168.1.66/32 -p udp -m comment --comment "Allow local to traceroute" -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.0.1/32 -d 192.168.0.26/32 -p tcp -m tcp --sport 3128 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -s 192.168.0.1/32 -d 192.168.0.0/24 -p tcp -m comment --comment "SSH" -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s 192.168.1.66/32 -o eth3 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Outgoing to DNS with outgoing Interface Eth3 Local" -j ACCEPT
-A OUTPUT -s 192.168.1.66/32 -o eth3 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Outgoing to HTTP Traffic with outgoing Interface Eth3 Local" -j ACCEPT
-A OUTPUT -s 192.168.1.66/32 -o eth3 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Outgoing to SSL HTTPS Traffic with outgoing Interface Eth3 Local" -j ACCEPT
-A OUTPUT -s 192.168.1.66/32 -o eth3 -p tcp -m tcp --dport 1863 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Outgoing to MSN Traffic with outgoing Interface Eth3 Local" -j ACCEPT
-A OUTPUT -s 192.168.0.1/32 -d 192.168.0.26/32 -p icmp -m icmp --icmp-type 0 -m comment --comment "ICMP Reply for 192.168.0.26" -j ACCEPT
-A OUTPUT -s 192.168.0.1/32 -d 192.168.0.26/32 -o eth1 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.1.66/32 -d 192.168.0.26/32 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 192.168.0.26/32 -p icmp -j ACCEPT
-A OUTPUT -p icmp -m comment --comment "allow Local to ping sites" -j ACCEPT
-A OUTPUT -s 192.168.1.66/32 -d 192.168.1.254/32 -p tcp -m tcp --dport 23 -j ACCEPT
COMMIT
# Completed on Fri Nov 20 04:10:19 2009
# Generated by iptables-save v1.4.1.1 on Fri Nov 20 04:10:19 2009
*nat
:PREROUTING ACCEPT [5252:444077]
:POSTROUTING ACCEPT [1333:82478]
:OUTPUT ACCEPT [12605:1822572]
-A PREROUTING -s 192.168.0.26/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -d $WAN_IP/32 -i eth3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.66
-A POSTROUTING -o eth3 -j SNAT --to-source $WAN_IP
-A POSTROUTING -o eth3 -j MASQUERADE
COMMIT
# Completed on Fri Nov 20 04:10:19 2009
# Generated by iptables-save v1.4.1.1 on Fri Nov 20 04:10:19 2009
*mangle
:PREROUTING ACCEPT [1290588:893033543]
:INPUT ACCEPT [1246866:881367204]
:FORWARD ACCEPT [42235:11491291]
:OUTPUT ACCEPT [1703601:955992613]
:POSTROUTING ACCEPT [1740382:966256070]
-A FORWARD -p tcp -m tcp --dport 3128 -j ECN --ecn-tcp-remove
-A FORWARD -p tcp -m tcp --dport 80 -j ECN --ecn-tcp-remove
-A FORWARD -p tcp -m tcp --dport 1863 -j ECN --ecn-tcp-remove
-A POSTROUTING -o eth3 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Nov 20 04:10:19 2009

0 0 ACCEPT tcp -- eth3 eth1 0.0.0.0/0 192.168.1.66 tcp dpt:80 state NEW
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `FORWARD DROP: '

Chain PREROUTING (policy ACCEPT 5254 packets, 444K bytes)
pkts bytes target prot opt in out source destination
5528 265K REDIRECT tcp -- * * 192.168.0.26 0.0.0.0/0 tcp dpt:80 redir ports 3128
0 0 DNAT tcp -- eth3 * 0.0.0.0/0 $WAN_IP tcp dpt:80 to:192.168.1.66
Chain POSTROUTING (policy ACCEPT 1352 packets, 97805 bytes)
pkts bytes target prot opt in out source destination
1 60 SNAT all -- * eth3 0.0.0.0/0 0.0.0.0/0 to:$WAN_IP
10244 682K MASQUERADE all -- * eth3 0.0.0.0/0 0.0.0.0/0

nothing hit! so nothing log

/etc/squid3# cat /proc/sys/net/ipv4/ip_forward
1

Hope you can resolve my problem thx =)

win32sux · 11-20-2009, 03:33 AM

Quote:

Originally Posted by moekad

0 0 ACCEPT tcp -- eth3 eth1 0.0.0.0/0 192.168.1.66 tcp dpt:80 state NEW
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `FORWARD DROP: '

Chain PREROUTING (policy ACCEPT 5254 packets, 444K bytes)
pkts bytes target prot opt in out source destination
5528 265K REDIRECT tcp -- * * 192.168.0.26 0.0.0.0/0 tcp dpt:80 redir ports 3128
0 0 DNAT tcp -- eth3 * 0.0.0.0/0 $WAN_IP tcp dpt:80 to:192.168.1.66
Chain POSTROUTING (policy ACCEPT 1352 packets, 97805 bytes)
pkts bytes target prot opt in out source destination
1 60 SNAT all -- * eth3 0.0.0.0/0 0.0.0.0/0 to:$WAN_IP
10244 682K MASQUERADE all -- * eth3 0.0.0.0/0 0.0.0.0/0

The top part of that output seems to be missing. Still, it's enough for us to see that no packets have hit either the FORWARD rule, the FORWARD chain policy, or the DNAT rule. You aren't testing this from a box with IP 192.168.0.26, right? I ask because if so, then the packet would match the REDIRECT rule, therefore bypassing the DNAT rule and the FORWARD chain.

Are you able to run tcpdump on this box?

Code:

tcpdump -n -i eth3 port 80 and dst $REAL_IP

Absence of output with that command (when testing the forwarding) would indicate the packets aren't arriving.

moekad · 11-20-2009, 09:44 AM

Quote:

Originally Posted by win32sux

The top part of that output seems to be missing. Still, it's enough for us to see that no packets have hit either the FORWARD rule, the FORWARD chain policy, or the DNAT rule. You aren't testing this from a box with IP 192.168.0.26, right? I ask because if so, then the packet would match the REDIRECT rule, therefore bypassing the DNAT rule and the FORWARD chain.

Are you able to run tcpdump on this box?

Code:

tcpdump -n -i eth3 port 80 and dst $REAL_IP

Absence of output with that command (when testing the forwarding) would indicate the packets aren't arriving.

no bro
i'm testing from external network mean from another REAL IP let them to take access from my webserver
wanna me to test from internal access? i think internal work but external don't
Thx

win32sux · 11-20-2009, 09:51 AM

Quote:

Originally Posted by moekad

no bro
i'm testing from external network mean from another REAL IP let them to take access from my webserver
wanna me to test from internal access? i think internal work but external don't
Thx

Like I said, if the packets are reaching the box then they should show up in tcpdump's output. So yeah, do the test as you normally would (from the WAN side) and see if the packets are reaching this box or not. It doesn't sound to me like they are, but with tcpdump you can know for sure.

If you get output, post it. If you don't get any output, then you know what the problem is.