Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-26-2003, 05:32 PM
|
#1
|
LQ Newbie
Registered: Aug 2003
Location: South Africa
Distribution: Gentoo & FreeBSD
Posts: 4
Rep:
|
Advanced Iptables Issue
Migrating my old FreeBSD Router to Linux, Having some issues with the iptables firewall.
The box is connected to the net through ppp0 (dynamic IP) and to the lan with eth0 (192.168.0.45). All boxes on the network is connected directly to the switch, and this box serves as the gateway for them all. The internal webserver is 192.168.0.254.
I have 2 problems:
[list=1][*]When I change my 'FORWARD' policy to 'DROP' instead of ACCEPT as I think it should be...the http forwarding doesn't work anymore. What rule do I need to add afterwards so the http requests still go through etc?[*]The port 80 / http forwarding works perfectly when trying to http to 192.168.0.45 from the internal network, however, from outside trying to http to ppp0's ip address, it doesn't work. Why not, and how can I make it?[/list=1]
This is my current firewall:
Code:
IPTABLES=/sbin/iptables
EXTIF="ppp0"
INTIF="eth0"
IFCONFIG=/sbin/ifconfig
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
WEBSERVER="192.168.0.254"
printf "\nExternal Interface: $EXTIF\nInternal Interface: $INTIF\n\n"
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
echo "Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
#
echo "Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Set external IP Var
INTIP="192.168.0.45"
echo "Internal ip is $INTIP"
#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP (REJECT is not a valid policy)
#
echo "Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# This is for forwarding http requests to the webserver.
# It's still kind off dodgy, but it works at the moment so thats good.
#
echo "Forwarding all http requests to $WEBSERVER"
# Forward packets coming in from the outside
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $WEBSERVER:80
# Allow forwarded packets
iptables -A FORWARD -p tcp --dport 80 -d $WEBSERVER -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Make responses on the internal network go through the firewall
iptables -t nat -A POSTROUTING -p tcp -d $WEBSERVER --dport 80 -j SNAT --to-source $INTIP
Thanks!
|
|
|
08-26-2003, 09:21 PM
|
#2
|
Member
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498
Rep:
|
Look at your last three rules. This is what your basically saying:
If it an HTTP request comes in form the outside. Change its destination address to 192.168.0.254. Then allow it through the FORWARD table. Then heres the error: Change the source address to 192.168.0.45. SO basically the webserver will get the packet but will send it back destined to your router and not the external client. Just erase or comment out the last line. When the packets are sent pack from the webserver your default SNAT will take care of it just as if it was another PC on the LAN trying to talk to the outside.
--tarballedtux
|
|
|
08-27-2003, 03:37 AM
|
#3
|
LQ Newbie
Registered: Aug 2003
Location: South Africa
Distribution: Gentoo & FreeBSD
Posts: 4
Original Poster
Rep:
|
I have tried that, but, without it, the forwarding doesn't work. Anything else that I might have done wrong or missed?
I've tried putting the webserver's gateway on both 192.168.0.45 and totally removing it. Without that rule neither eth0 or ppp0's forwarding works.
Thanks
|
|
|
08-27-2003, 06:33 PM
|
#4
|
Member
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498
Rep:
|
What I am saying is erase that final rule. There is no reason for it.
--tarballedtux
|
|
|
08-27-2003, 11:57 PM
|
#5
|
LQ Guru
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280
Rep:
|
# Make responses on the internal network go through the firewall
iptables -t nat -A POSTROUTING -p tcp -d $WEBSERVER --dport 80 -j SNAT --to-source $INTIP
yea this rule is shady, it says:
before a packet leaves this gateway....
If the protocol is TCP and destination is the webserver:80,
change the SOURCE address of this packet to the address of the router (the machine the packet is leaving in the 1st place).
what this does is make your webserver think that each hit is comming from the Router, so If I were to hit you webserver (or try) with my IP being something like 128.61.34.256, I wouldn't get a replay back because your webserver will send the reply back to 192.168.0.45, and then the router will probably just drop it. It would never come back to me.
It's kinda like this:
Your mom gives your dad 10 bucks to give to you. And you mom says "tell him its from me". Your dad then gives you the money and says "here son, this 10 bucks is from me". Now you thank your dad instead of you mom who really gave you the money and you mom never hears back from you about the 10 bucks because u already thanked your dad and she's out of the loop....
in that analogy, your mom is the client making the request, your dad is the router, and you are the webserver.
(i have a habbit of making analogies all the time)
|
|
|
08-30-2003, 07:09 AM
|
#6
|
LQ Newbie
Registered: Aug 2003
Location: South Africa
Distribution: Gentoo & FreeBSD
Posts: 4
Original Poster
Rep:
|
aaarrrgghhhhhh!
Okay...It's *still* not working and I've read up everything I could find on iptables/netfilter by now. It is changed though. But it still doesn't forward http requests at all.
The webserver's gateway is set to the firewall box's ip, and the webserver isn't running any firewall or nat software at all.
This is what it looks like at the moment:
Code:
#!/sbin/runscript
IPTABLES=/sbin/iptables
EXTIF="ppp0"
INTIF="eth0"
IFCONFIG=/sbin/ifconfig
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
WEBSERVER="192.168.0.57"
# Flush tables and set policies
echo "Clearing any existing rules and setting default policy.."
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -F INPUT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -F OUTPUT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -F FORWARD
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -F OUTPUT
start() {
ebegin "Loading Firewall"
# Enable IP forwarding
echo "Enabling Forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Enable Dynamic IP
echo "Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Set external IP
EXTON=`ifconfig | grep $EXTIF`
if [ $? -eq 0 ]
then
EXTIP=`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d ' ' -f 1`
echo "External interface is $EXTIF with ip address: $EXTIP"
else
echo "External interface is $EXTIF"
fi
# Set internal IP
INTIP=`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d ' ' -f 1`
echo "Internal interface is $INTIF with ip address: $INTIP"
# Set up gateway/routing
echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# Port forward http requests to the web server
echo "Set up http forwarding to $WEBSERVER"
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $WEBSERVER:80
eend 0
}
stop() {
ebegin "Clearing Firewall"
eend 0
}
PLEASE someone help? Why doesn't it forward http requests?
|
|
|
All times are GMT -5. The time now is 10:15 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|