iptables port forwarding
I've been Googling about port forwarding iptables and even though there's result and I've applied it in my script, I can't make iptables forwading request to another machine so I decided to ask help.
eth0 is my Internet Interface (1.2.3.4 is the public ip) eth1 is my Lan Interface eth2 is my DMZ Interface My Apache test server is 10.0.1.150 Below is my script: Quote:
Quote:
Can anyone tell me what's my mistake here. Linux newbie in iptables. |
Looks to me like it should work as it is. Maybe place a LOG rule at the end of the FORWARD chain so we can see if your test packet is getting filtered there (and if so, what the packet's headers look like)?
Code:
iptables -A FORWARD -j LOG --log-prefix "FORWARD DROP: " Code:
/sbin/route -n |
Quote:
Quote:
Quote:
10.0.1.1 is the gateway of 10.0.1.150 |
I tried to install http and remove lines related to port 80 interface eth0, run script and I can see apache.
So probably culprit is somewhere on the script or routing issue but is it possible routing issue even I could telnet the service (http)??? Server can connect to the private lan server where apache is installed. |
What interface is the Apache server on?
|
Quote:
On the FW server, eth1 is the private lan interface |
Have you enabled ip forwarding?
Run this to check: Code:
cat /proc/sys/net/ipv4/ip_forward Code:
echo "1" > /proc/sys/net/ipv4/ip_forward If that is not the issue, please run the following commands and post the output to us: Code:
ip route |
Quote:
Will post later the output of those requested commands. Thanks! |
ip route NOTE:
Quote:
Quote:
Quote:
|
EDIT: I didn't look at your routing table very closely...
Run these commands and see how it goes.. Code:
ip route delete 192.168.1.0/24 via 10.0.1.151 dev eth1 Code:
cat /proc/sys/net/ipv4/ip_forward |
Does it make sense if I know I can telnet to the DMZ server on the port I'm trying to forward, do I need to think that problem might still be on the network side? Even if I can trace route succesfully to the dmz server?
Quote:
Quote:
|
Problem fix!
It seems when I added the ff I can now forward ports Quote:
Quote:
|
I would be happy to look at your firewall script and give you an idea of how secure it is, but please post it again from the output of this command:
Code:
iptables-save |
Here it is. Please inform me if there's any flaw or changes that need to do. Thanks!
Quote:
|
You do not need this line, it is covered by the one above
Code:
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT The one should be deleted, port 80 is being routed so it is covered by the FORWARD chain Code:
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT Code:
-A FORWARD -i eth1 -p tcp --dport 81:65535 -j REJECT --reject-with icmp-port-unreachable Code:
# You need to remember that packets that are being routed are covered by the FORWARD chain. INPUT and OUTPUT are only for packets that are addressed directly to or from the firewall itself. If you don't understand that you really need to ask for more clarification. |
All times are GMT -5. The time now is 03:25 PM. |