iptables not routing internal network
Hello All
I am trying to set up a web server which would face the outside but also the internal network and work as a router for the internal network at the same time. The NAT and server from the outside work fine, but I cannot access the web server from the internal network (addresses 192.168.1.0/24). The server lan interface is 192.168.1.1. I cannot find the problem. I tried to set up iptables logging but did not find anything useful. Bearing in mind that I am a linux newbie, can you spot any problem in my iptables script? Much appreciated. Best regards, Bruno ===================Here is the script I invoke to start iptables. #!/bin/sh ##/usr/local/bin/fw_nat #iptables firewall script for sharing #broadband Internet, with no public services #define variables ipt="/sbin/iptables" mod="/sbin/modprobe" LAN_IFACE="eth1" WAN_IFACE="eth0" # Flush all active rules and delete all custom chains $ipt -F $ipt -t nat -F $ipt -t mangle -F $ipt -X $ipt -t nat -X $ipt -t mangle -X #basic set of kernel modules $mod ip_tables $mod ip_conntrack $mod iptable_filter $mod iptable_nat $mod iptable_mangle $mod ipt_LOG $mod ipt_limit $mod ipt_state $mod ipt_MASQUERADE #Set default policies $ipt -P INPUT DROP $ipt -P FORWARD DROP $ipt -P OUTPUT ACCEPT $ipt -t nat -P OUTPUT ACCEPT $ipt -t nat -P PREROUTING ACCEPT $ipt -t nat -P POSTROUTING ACCEPT $ipt -t mangle -P PREROUTING ACCEPT $ipt -t mangle -P POSTROUTING ACCEPT #this line is necessary for the loopback interface #and internal socket-based services to work correctly $ipt -A INPUT -i lo -j ACCEPT #Enable IP masquerading $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source "ext.IP" #Enable unrestricted outgoing traffic, incoming #is restricted to locally-initiated sessions only $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #Reject connection attempts not initiated from inside the LAN $ipt -A INPUT -p tcp --syn -j DROP |
Greetings,
Well, from what I can see, I think you might be missing a rule to allow a connection from within the LAN to connect to the interface that is in the LAN on your webserver/router. Something to the effect of: Code:
$ipt -A INPUT -s 192.168.1.0/24 -d 192.168.1.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT HTH. Let us know. |
Yes, your suggestion made the difference. Lovely :-)
|
Great!
Don't forget to add [SOLVED] to the title of your initial post. :) Have a great one! |
All times are GMT -5. The time now is 11:05 AM. |