Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 08-27-2005, 11:51 AM   #1
Registered: Jun 2004
Location: France, UE
Distribution: Arch Linux, Bodhi, Debian, Mageia, OpenMediaVault, Q4OS
Posts: 133

Rep: Reputation: 20
Thumbs up [IPTABLES] open ext access to web server on GW server

[SOLVED ! See last post]

Hi !

Have a Zope Web Server running fine on my LAN gateway/firewall PC,
But I found impossible to open access to this Web Server from outside the LAN

* Here is the LAN :

Static IP ethernet ADSL modem
[eth0] gateway/firewall PC with iptables & Zope Web Server [eth1]

gateway/firewall PC's /etc/hosts file is :
Code:                       localhost                       llewellyn
* Here is the IPTABLES rule that I thought would allow access to the Web Server on the gateway/firewall PC :
iptables -A INPUT -p tcp -i eth0 --dport [Server_Port] --sport 1024: \
  -m state --state NEW -j ACCEPT
Now, that server is awfully unaccessible from outside (many of my relatives were requested to give it a try )

Despites, I have full access to it from a LAN PC with public IP:PORT

I'm way too new to IPTABLES to analyze the logs but here's what i see when a guy tries to access the Web server :
Aug 26 20:59:31 llewellyn IN=eth0 OUT= MAC=00:40:f4:49:e6:3e:00:07:cb:02:3c:3e:08:00 
	LEN=40 TOS=0x00 PREC=0x00 TTL=102 ID=22867 DF PROTO=TCP
	WINDOW=64800 RES=0x00 ACK URGP=0
where 60.16.83.XXX is that guy's IP & 82.67.96.XX my static IP,
3442 that guy's source Port & XXXX the port my web server is listening to.

Any advice would be really appreciated

Last edited by kozaki; 08-27-2005 at 05:13 PM.
Old 08-27-2005, 03:05 PM   #2
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,696

Rep: Reputation: 232Reputation: 232Reputation: 232
How do your OUTPUT rules look like? You need to allow the answers out.
Old 08-27-2005, 03:29 PM   #3
Registered: Jun 2004
Location: France, UE
Distribution: Arch Linux, Bodhi, Debian, Mageia, OpenMediaVault, Q4OS
Posts: 133

Original Poster
Rep: Reputation: 20

Mara, of course yes !

Here it is (only changed length of lines) :
# Allow all bidirectional traffic from your firewall to the protected network
# - Interface eth1 is the private network interface

iptables -A INPUT   -j ACCEPT -p all -s -i eth1
iptables -A OUTPUT  -j ACCEPT -p all -d -o eth1

# -------------------------------------------------------------
# [4] Allowing WWW And SSH Access To Your Firewall
# -------------------------------------------------------------

# This sample snippet is for a firewall that doubles as a web server that is managed remotely by its system administrator via secure shell (SSH) sessions.
# Inbound packets destined for ports 80 and 22 are allowed thereby making the first steps in establishing a connection.
# It isn't necessary to specify these ports for the return leg as outbound packets for all established connections are allowed.
# Connections initiated by persons logged into the Web server will be denied as outbound NEW connection packets aren't allowed.

# Allow previously established connections
# - Interface eth0 is the internet interface

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
IPtables script source : Peter Harrison,

Wouldn't one think it is enough for my purpose (access to the server on Gateway)
Old 08-27-2005, 05:11 PM   #4
Registered: Jun 2004
Location: France, UE
Distribution: Arch Linux, Bodhi, Debian, Mageia, OpenMediaVault, Q4OS
Posts: 133

Original Poster
Rep: Reputation: 20

This double instruction (OUTPUT authorized for Established,Related & INPUT for New) should have been sufficient, isn't it ?

Allllllllright I found an *intéressant* script for configuring / debugging IPtables: Arno's IPtables-firewall
Now the Web Server is open (and others rules that worked fine are still there .
Plus, this script really make it much more easier for editing IPtables, and print easy-to-read Logs
Aug 28 02:08:47 gateway Connection attempt (UNPRIV): IN=eth0 OUT= MAC=... SRC=222.141.102.X DST=82.67.96.XX LEN=500 TOS=0x00 PREC=0x00 TTL=39 ID=0 DF PROTO=UDP SPT=44091 DPT=1026 LEN=480
Aug 28 02:08:48 gateway Connection attempt (PRIV): IN=eth0 OUT= MAC=... SRC=82.67.133.XXX DST=82.67.96.XX LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=36772 DF PROTO=TCP SPT=3294 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES How to access to web server on gateway from LAN? kozaki Linux - Networking 4 08-26-2005 11:27 AM
can we configure a Linux server with mail server,file server and web server kumarx Linux - Newbie 5 09-09-2004 06:21 AM
web server,dmz,iptables puding Linux - Networking 7 08-10-2004 02:48 PM
iptables does not allow me to access internal web server. JawjLindo Linux - Security 2 11-10-2003 02:23 PM
Can't access Linux web server web pages from LAN client jaydave Linux - Networking 4 03-16-2003 02:38 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:06 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration