IPtables: Can not access web server from outside the firewall

livetoday · 12-28-2007, 07:07 AM

I have one test web server that has a public (x.x.x.195)and private ip (172.25.20.9)

Now I want to do natting in iptables so I disabled the public ip and tried to do using following entries in /etc/sysconfig/iptables.

:PREROUTING ACCEPT [138:27825]
:POSTROUTING ACCEPT [3:238]
:OUTPUT ACCEPT [1:84]
-A PREROUTING -d X.X.X.195 -i eth0 -j DNAT --to-destination 172.25.20.9
-A POSTROUTING -s 172.25.20.9 -o eth1 -j SNAT --to-source X.X.X.195
COMMIT
# Completed on Fri Dec 28 18:16:13 2007
# Generated by iptables-save v1.2.11 on Fri Dec 28 18:16:13 2007
*filter
:INPUT ACCEPT [330:35182]
:FORWARD ACCEPT [2:168]
:OUTPUT ACCEPT [31:3332]
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m

However, I am not able to ping the public ip and getting destination host unreachable error . I can not access the web server using web browser Browser gives error "server refused the connection".

Kindly let me know what I need to change in iptables.

TylerD75 · 12-28-2007, 09:12 AM

Hmm, not quite sure what you're trying to do?

First off, I recommend you either run iptables commands from the command-line, or use a bash script to run the commands for you.

You're editing the iptables-save file, which is NOT the way to do it...

And when it comes to the forwarding you're trying to set up, why? Why are you forwarding requests from the external interface to the internal?
This looks very strange, especially when you can setup apache (and probably ALL other webservers) to use both internal and external IPs.

And: If you disable the external IP, is it really a mystery why you can't ping it? Or did I misunderstand?

Hope this helps? If not, I suggest you describe the problem a little bit. What are you trying to do? Do you have a vhost on the internal IP that you want to have working on the external ip?

I get the feeling this is an apache config problem, not iptables?

livetoday · 12-31-2007, 04:40 AM

Thanks for the response...here is simplified version of my problem..

I have installed web server on 172.25.20.9 and I want it to be accessible from outside firewall.

I want each request to come to firewall server and the firewall server should forward it to the internal web server (172.25.20.9).

Firewall server external ip is x.x.x.195 and the interface is eth0.
internal ip is 172.25.20.7 and able to ping 172.25.20.9

I have made default policy of each chain is to ACCEPT and also added the following rule.

iptables -t nat -A PREROUTING -i eth0 -d x.x.x.195 -p tcp --dport 80 -j DNAT --to-destination 172.25.20.9

iptables -t filter -L output is:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Still getting the error "connection refused" ...what other rules I need to add ?