LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-14-2013, 12:31 PM   #1
LostInDaJungle
LQ Newbie
 
Registered: Feb 2013
Posts: 2

Rep: Reputation: Disabled
iptables and port forwarding - Inside the firewall


Hi, we run a Ubuntu firewall here and I am trying to configure port forwarding to allow our sharepoint site to be accessible from outside the building.

I need both port 80 and 443 (SSL) to be active.

Code:
sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to <internal_ip>:80
sudo iptables -A FORWARD -i eth1 -p tcp --dport 80 -d <internal_ip> -j ACCEPT
sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to <internal_ip>:443
sudo iptables -A FORWARD -i eth1 -p tcp --dport 443 -d <internal_ip> -j ACCEPT
This works for computers OUTSIDE our firewall. When I bring up my domain name from home, I get our sharepoint site.

When I try to access the site from inside our network using either the domain name or external ip address, I keep getting the default apache page installed on the firewall. Is there something I'm missing here?

Last edited by LostInDaJungle; 02-14-2013 at 01:58 PM. Reason: Web Server was still on... My bad. Removed that line
 
Old 02-14-2013, 04:29 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 1,915

Rep: Reputation: Disabled
Traffic from the inside won't match any of the iptables rules because of the "-i eth1" parameter.

Even though the public IP is bound to eth1, accessing that IP via another interface happens without routing. You can reach all IP addresses on a system via any of its interfaces.

Note that even if you add PREROUTING rules for traffic from the inside network, the NATed connection will fail if the clients and the Sharepoint server are on the same IP subnet.
 
Old 02-22-2013, 07:35 AM   #3
LostInDaJungle
LQ Newbie
 
Registered: Feb 2013
Posts: 2

Original Poster
Rep: Reputation: Disabled
Resolved it

Code:
iptables -t nat -A PREROUTING -d <external ip> -p tcp --dport 80 -j DNAT --to <internal ip>:80
iptables -A FORWARD -p tcp --dport 80 -d <internal ip> -j ACCEPT
iptables -t nat -A PREROUTING -d <external ip> -p tcp --dport 443 -j DNAT --to <internal ip>:443
iptables -A FORWARD -p tcp --dport 443 -d <internal ip> -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --dport 80 -d <internal ip> -s 10.100.XX.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp --dport 443 -d <internal ip> -s 10.100.XX.0/24 -j MASQUERADE
These rules allow me to access the server from outside and inside the firewall.

The problem I ran into was that simply removing the "-i eth1" caused all traffic bound for port 80 (or 443) to be rerouted to the internal server. So if a client requested yahoo.com, he ended up getting routed to the internal ip. Adding the -d switch reroutes any traffic bound for one ip on port 80 (or 443) to the internal server.

Last edited by LostInDaJungle; 02-22-2013 at 07:40 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables forwarding from gateway back to the inside network casolorz Linux - Networking 5 02-03-2009 03:18 PM
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
Testing Port Forwarding from inside network? humbletech99 Linux - Networking 2 07-08-2006 02:37 AM
Simple Port Forwarding Firewall - not forwarding MadTurki Linux - Security 14 04-09-2006 12:08 PM
IP Forwarding inside my firewall drtbmd Linux - Networking 6 08-22-2002 01:53 PM


All times are GMT -5. The time now is 01:33 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration