LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 06-28-2012, 08:31 AM   #1
brunoschwartz
LQ Newbie
 
Registered: Aug 2010
Posts: 15

Rep: Reputation: 0
iptables not routing internal network


Hello All

I am trying to set up a web server which would face the outside but also the internal network and work as a router for the internal network at the same time. The NAT and server from the outside work fine, but I cannot access the web server from the internal network (addresses 192.168.1.0/24). The server lan interface is 192.168.1.1. I cannot find the problem. I tried to set up iptables logging but did not find anything useful. Bearing in mind that I am a linux newbie, can you spot any problem in my iptables script? Much appreciated.

Best regards,

Bruno


===================Here is the script I invoke to start iptables.

#!/bin/sh
##/usr/local/bin/fw_nat
#iptables firewall script for sharing
#broadband Internet, with no public services

#define variables
ipt="/sbin/iptables"
mod="/sbin/modprobe"
LAN_IFACE="eth1"
WAN_IFACE="eth0"

# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X

#basic set of kernel modules
$mod ip_tables
$mod ip_conntrack
$mod iptable_filter
$mod iptable_nat
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE


#Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT

#this line is necessary for the loopback interface
#and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT

#Enable IP masquerading
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source "ext.IP"

#Enable unrestricted outgoing traffic, incoming
#is restricted to locally-initiated sessions only
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


#Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp --syn -j DROP
 
Old 06-28-2012, 01:33 PM   #2
ShadowCat8
Member
 
Registered: Nov 2004
Location: Arcadia, CA
Distribution: Gentoo, Arch, (RedHat4.x-9.x, FedoraCore 1.x-4.x, Debian Potato-Sarge, LFS 6.0, etc.)
Posts: 209

Rep: Reputation: 43
Greetings,

Well, from what I can see, I think you might be missing a rule to allow a connection from within the LAN to connect to the interface that is in the LAN on your webserver/router. Something to the effect of:
Code:
$ipt -A INPUT -s 192.168.1.0/24 -d 192.168.1.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Now that's off the top of my head, so you might need to adjust that line above by adding specific port(s) and/or interface, but it should be something like that, if memory serves correctly.

HTH. Let us know.

Last edited by ShadowCat8; 06-28-2012 at 01:36 PM.
 
Old 06-29-2012, 05:05 AM   #3
brunoschwartz
LQ Newbie
 
Registered: Aug 2010
Posts: 15

Original Poster
Rep: Reputation: 0
Yes, your suggestion made the difference. Lovely :-)
 
Old 06-29-2012, 11:46 AM   #4
ShadowCat8
Member
 
Registered: Nov 2004
Location: Arcadia, CA
Distribution: Gentoo, Arch, (RedHat4.x-9.x, FedoraCore 1.x-4.x, Debian Potato-Sarge, LFS 6.0, etc.)
Posts: 209

Rep: Reputation: 43
Great!

Don't forget to add [SOLVED] to the title of your initial post.

Have a great one!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables routing packets on the same sub-network Evstrati Linux - Networking 3 02-17-2010 01:50 PM
[SOLVED] Iptables Not allowing access to Apache in my Internal Network KinnowGrower Linux - Networking 5 01-24-2010 11:09 AM
Routing on my internal network. Milkman00 Linux - Networking 11 09-02-2005 02:30 PM
Iptables-- internal network HopelessLinuxNewbie Linux - Security 3 07-27-2005 08:49 PM
IPTABLES port forwarding to internal network ivanros Linux - Networking 2 12-28-2002 10:19 PM


All times are GMT -5. The time now is 01:40 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration