-   Linux - Networking (
-   -   [IPTABLES] open ext access to web server on GW server (

kozaki 08-27-2005 11:51 AM

[IPTABLES] open ext access to web server on GW server
[SOLVED ! See last post]

Hi !

Have a Zope Web Server running fine on my LAN gateway/firewall PC,
But I found impossible to open access to this Web Server from outside the LAN :(

* Here is the LAN :

Static IP ethernet ADSL modem
[eth0] gateway/firewall PC with iptables & Zope Web Server [eth1]

gateway/firewall PC's /etc/hosts file is :
Code:                      localhost                      llewellyn

* Here is the IPTABLES rule that I thought would allow access to the Web Server on the gateway/firewall PC :

iptables -A INPUT -p tcp -i eth0 --dport [Server_Port] --sport 1024: \
  -m state --state NEW -j ACCEPT

Now, that server is awfully unaccessible from outside (many of my relatives were requested to give it a try ;) )

Despites, I have full access to it from a LAN PC with public IP:PORT :confused:

I'm way too new to IPTABLES to analyze the logs :eek: but here's what i see when a guy tries to access the Web server :

Aug 26 20:59:31 llewellyn IN=eth0 OUT= MAC=00:40:f4:49:e6:3e:00:07:cb:02:3c:3e:08:00
        LEN=40 TOS=0x00 PREC=0x00 TTL=102 ID=22867 DF PROTO=TCP
        WINDOW=64800 RES=0x00 ACK URGP=0

where 60.16.83.XXX is that guy's IP & 82.67.96.XX my static IP,
3442 that guy's source Port & XXXX the port my web server is listening to.

Any advice would be really appreciated :newbie:

Mara 08-27-2005 03:05 PM

How do your OUTPUT rules look like? You need to allow the answers out.

kozaki 08-27-2005 03:29 PM

Mara, of course yes !

Here it is (only changed length of lines) :

# Allow all bidirectional traffic from your firewall to the protected network
# - Interface eth1 is the private network interface

iptables -A INPUT  -j ACCEPT -p all -s -i eth1
iptables -A OUTPUT  -j ACCEPT -p all -d -o eth1

# -------------------------------------------------------------
# [4] Allowing WWW And SSH Access To Your Firewall
# -------------------------------------------------------------

# This sample snippet is for a firewall that doubles as a web server that is managed remotely by its system administrator via secure shell (SSH) sessions.
# Inbound packets destined for ports 80 and 22 are allowed thereby making the first steps in establishing a connection.
# It isn't necessary to specify these ports for the return leg as outbound packets for all established connections are allowed.
# Connections initiated by persons logged into the Web server will be denied as outbound NEW connection packets aren't allowed.

# Allow previously established connections
# - Interface eth0 is the internet interface

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \

IPtables script source : Peter Harrison,

Wouldn't one think it is enough for my purpose (access to the server on Gateway) :confused:

kozaki 08-27-2005 05:11 PM

This double instruction (OUTPUT authorized for Established,Related & INPUT for New) should have been sufficient, isn't it ?

Allllllllright I found an *intéressant* script for configuring / debugging IPtables: Arno's IPtables-firewall
Now the Web Server is open (and others rules that worked fine are still there :).
Plus, this script really make it much more easier for editing IPtables, and print easy-to-read Logs :D

Aug 28 02:08:47 gateway Connection attempt (UNPRIV): IN=eth0 OUT= MAC=... SRC=222.141.102.X DST=82.67.96.XX LEN=500 TOS=0x00 PREC=0x00 TTL=39 ID=0 DF PROTO=UDP SPT=44091 DPT=1026 LEN=480
Aug 28 02:08:48 gateway Connection attempt (PRIV): IN=eth0 OUT= MAC=... SRC=82.67.133.XXX DST=82.67.96.XX LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=36772 DF PROTO=TCP SPT=3294 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=

All times are GMT -5. The time now is 05:39 AM.