LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   iptables not routing internal network (https://www.linuxquestions.org/questions/linux-server-73/iptables-not-routing-internal-network-4175413830/)

brunoschwartz 06-28-2012 08:31 AM
iptables not routing internal network
 
Hello All

I am trying to set up a web server which would face the outside but also the internal network and work as a router for the internal network at the same time. The NAT and server from the outside work fine, but I cannot access the web server from the internal network (addresses 192.168.1.0/24). The server lan interface is 192.168.1.1. I cannot find the problem. I tried to set up iptables logging but did not find anything useful. Bearing in mind that I am a linux newbie, can you spot any problem in my iptables script? Much appreciated.

Best regards,

Bruno


===================Here is the script I invoke to start iptables.

#!/bin/sh
##/usr/local/bin/fw_nat
#iptables firewall script for sharing
#broadband Internet, with no public services

#define variables
ipt="/sbin/iptables"
mod="/sbin/modprobe"
LAN_IFACE="eth1"
WAN_IFACE="eth0"

# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X

#basic set of kernel modules
$mod ip_tables
$mod ip_conntrack
$mod iptable_filter
$mod iptable_nat
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE


#Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT

#this line is necessary for the loopback interface
#and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT

#Enable IP masquerading
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source "ext.IP"

#Enable unrestricted outgoing traffic, incoming
#is restricted to locally-initiated sessions only
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


#Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp --syn -j DROP

ShadowCat8 06-28-2012 01:33 PM
Greetings,

Well, from what I can see, I think you might be missing a rule to allow a connection from within the LAN to connect to the interface that is in the LAN on your webserver/router. Something to the effect of:
Code:
$ipt -A INPUT -s 192.168.1.0/24 -d 192.168.1.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Now that's off the top of my head, so you might need to adjust that line above by adding specific port(s) and/or interface, but it should be something like that, if memory serves correctly.

HTH. Let us know.

brunoschwartz 06-29-2012 05:05 AM
Yes, your suggestion made the difference. Lovely :-)

ShadowCat8 06-29-2012 11:46 AM
Great!

Don't forget to add [SOLVED] to the title of your initial post. :)

Have a great one!


All times are GMT -5. The time now is 11:05 AM.