LAN cannot access other LAN systems, only WAN

Myrion · 09-06-2007, 07:18 PM

Hi folks,

I've exhausted the extent of my IPTables/NetFilter knowledge, and am now turning to your expertise.

I've pasted my IPTables configuration below so that you can hopefully see where my error is.

Here is my problem: I have a linux box acting as a router and firewall. It assigns IPs to local systems via its DHCP server. My problem is that none of the local systems can access the local web server. If they enter the IP address of the web server (192.168.1.111), it works fine, but using the domain name does not work. The local systems are able to reach all WAN networks, and all WAN networks are able to access the local web server (since I have NAT forwarding setup in IPTables). So, any idea how I can get the local systems to be able to use the domain name of my web server to access it instead of having to use the IP address (which doesn't work for some http forwarding directives I have setup)?

---IPTABLES OUTPUT---

Code:

#!/bin/sh

# NOTE -- This used to be /sbin/ifup-pre-local script. I changed it to a manual script instead since tc_shaper
# wasn't working in the previous script on autoload

# other definitions
IFext="eth0"
IFint="eth1"
IPext="71.xxx.xxx.xxx"
IPint="192.168.0.1"
lannet="192.168.0.0/23"

# chain policies
# drop everything and open stuff as necessary
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -F -t nat
/sbin/iptables -X
/sbin/iptables -Z

# create DUMP table
/sbin/iptables -N DUMP
/sbin/iptables -F DUMP

# limited logs
/sbin/iptables -A DUMP -p icmp -m limit --limit 1/m --limit-burst 5 -j LOG --log-level 6 --log-prefix "IPT ICMPDUMP: "
/sbin/iptables -A DUMP -p tcp -m limit --limit 1/m --limit-burst 5 -j LOG --log-level 6 --log-prefix "IPT TCPDUMP: "
/sbin/iptables -A DUMP -p udp -m limit --limit 6/h --limit-burst 5 -j LOG --log-level 6 --log-prefix "IPT UDPDUMP: "

/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A DUMP -j DROP

# Stateful table
/sbin/iptables -N STATEFUL
/sbin/iptables -F STATEFUL
/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A STATEFUL -m state --state NEW -i ! ${IFext} -j ACCEPT
/sbin/iptables -A STATEFUL -j DUMP

# SSH protection table
/sbin/iptables -N SSH
/sbin/iptables -F SSH
/sbin/iptables -A SSH -i ! ${IFext} -j RETURN
/sbin/iptables -A SSH -m recent --name SSH --set --rsource
/sbin/iptables -A SSH -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN
/sbin/iptables -A SSH -j DUMP

# SYN protection table
/sbin/iptables -N SYN-FLOOD
/sbin/iptables -F SYN-FLOOD
/sbin/iptables -A SYN-FLOOD -m limit --limit 1/s --limit-burst 8 -j RETURN
/sbin/iptables -A SYN-FLOOD -j DROP

/sbin/iptables -A INPUT -p tcp -i ${IFext} --syn -j SYN-FLOOD
/sbin/iptables -A INPUT -p tcp -i ${IFext} ! --syn -m state --state NEW -j DROP

# watch out for fragments
/sbin/iptables -A INPUT -i ${IFext} -f -j LOG --log-prefix "IPT FRAGMENTS: "
/sbin/iptables -A INPUT -i ${IFext} -f -j DROP

# allow loopback in
/sbin/iptables -A INPUT -i lo -j ACCEPT
# allow loopback and LAN out
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -s ${lannet} -j ACCEPT

# drop reserved addresses incoming as per IANA listing
/sbin/iptables -A INPUT -i ${IFext} -s 0.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 1.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 2.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 5.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 7.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 10.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 23.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 27.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 31.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 36.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 39.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 41.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 42.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 58.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 59.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 60.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 127.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 169.254.0.0/16 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 172.16.0.0/12 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 192.168.0.0/16 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 197.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 224.0.0.0/3 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 240.0.0.0/8 -j DUMP

# allow certain inbound ICMP types (on *any* interface)
/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT

# opened ports
/sbin/iptables -A INPUT -p tcp -i ${IFext} --dport 1982 -m state --state NEW -j SSH
/sbin/iptables -A INPUT -p tcp -i ${IFext} --dport 1982 -j ACCEPT

# masquerade from internal network
# /sbin/iptables -t nat -A POSTROUTING -s ${lannet} -o ${IFext} -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s ${lannet} -o ${IFext} -j SNAT --to-source ${IPext}

myrion="192.168.0.100"
server1="192.168.1.111"

# override stateful table
/sbin/iptables -A FORWARD -i ${IFext} -o ${IFint} -j ACCEPT

# server1 ports
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 46959:46965 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 46959:46965 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 80 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 80 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 443 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 443 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 25 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 25 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 143 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 143 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 1980 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 1980 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 993 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 993 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 1981 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 1981 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 3784 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 3784 -j ACCEPT

# myrion ports
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 46979 -j DNAT --to ${myrion}
/sbin/iptables -A FORWARD -s ${myrion} -p tcp --dport 46979 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 113 -j DNAT --to ${myrion}
/sbin/iptables -A FORWARD -s ${myrion} -p tcp --dport 113 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 6669 -j DNAT --to ${myrion}
/sbin/iptables -A FORWARD -s ${myrion} -p tcp --dport 6669 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 4900:5000 -j DNAT --to ${myrion}
/sbin/iptables -A FORWARD -s ${myrion} -p tcp --dport 4900:5000 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 6060:7000 -j DNAT --to ${myrion}
/sbin/iptables -A FORWARD -s ${myrion} -p tcp --dport 6060:7000 -j ACCEPT

# push everything else to state table
/sbin/iptables -A INPUT -j STATEFUL
/sbin/iptables -A FORWARD -j STATEFUL
/sbin/iptables -A OUTPUT -j STATEFUL

Thanks a bunch!!

--myrion

Brian1 · 09-06-2007, 07:29 PM

Not sure if it might help but depends based on DNS but I think you need some dnat lines. This mostly for lan machine not seeing a server IP address with the external IP address. Check this link for a start. http://www.linuxquestions.org/questi...highlight=dnat

Brian