| Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
06-28-2012, 08:31 AM
|
#1
|
|
LQ Newbie
Registered: Aug 2010
Posts: 15
Rep: 
|
iptables not routing internal network
Hello All
I am trying to set up a web server which would face the outside but also the internal network and work as a router for the internal network at the same time. The NAT and server from the outside work fine, but I cannot access the web server from the internal network (addresses 192.168.1.0/24). The server lan interface is 192.168.1.1. I cannot find the problem. I tried to set up iptables logging but did not find anything useful. Bearing in mind that I am a linux newbie, can you spot any problem in my iptables script? Much appreciated.
Best regards,
Bruno
===================Here is the script I invoke to start iptables.
#!/bin/sh
##/usr/local/bin/fw_nat
#iptables firewall script for sharing
#broadband Internet, with no public services
#define variables
ipt="/sbin/iptables"
mod="/sbin/modprobe"
LAN_IFACE="eth1"
WAN_IFACE="eth0"
# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X
#basic set of kernel modules
$mod ip_tables
$mod ip_conntrack
$mod iptable_filter
$mod iptable_nat
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE
#Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
#this line is necessary for the loopback interface
#and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT
#Enable IP masquerading
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source "ext.IP"
#Enable unrestricted outgoing traffic, incoming
#is restricted to locally-initiated sessions only
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp --syn -j DROP
|
|
|
|
|
06-28-2012, 01:33 PM
|
#2
|
|
Member
Registered: Nov 2004
Location: Arcadia, CA
Distribution: Gentoo, Sabayon, (RedHat4.x-9.x, FedoraCore 1.x-4.x, Debian Potato-Sarge, LFS 6.0, etc.)
Posts: 201
Rep: 
|
Greetings,
Well, from what I can see, I think you might be missing a rule to allow a connection from within the LAN to connect to the interface that is in the LAN on your webserver/router. Something to the effect of:
Code:
$ipt -A INPUT -s 192.168.1.0/24 -d 192.168.1.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Now that's off the top of my head, so you might need to adjust that line above by adding specific port(s) and/or interface, but it should be something like that, if memory serves correctly.
HTH. Let us know.
Last edited by ShadowCat8; 06-28-2012 at 01:36 PM.
|
|
|
|
|
06-29-2012, 05:05 AM
|
#3
|
|
LQ Newbie
Registered: Aug 2010
Posts: 15
Original Poster
Rep:
|
Yes, your suggestion made the difference. Lovely :-)
|
|
|
|
|
06-29-2012, 11:46 AM
|
#4
|
|
Member
Registered: Nov 2004
Location: Arcadia, CA
Distribution: Gentoo, Sabayon, (RedHat4.x-9.x, FedoraCore 1.x-4.x, Debian Potato-Sarge, LFS 6.0, etc.)
Posts: 201
Rep:
|
Great!
Don't forget to add [SOLVED] to the title of your initial post. 
Have a great one! |
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 01:15 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
