LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-23-2016, 06:54 AM   #1
TomToOmUch
LQ Newbie
 
Registered: Apr 2014
Location: Montpellier, France
Distribution: Slackware, Slackware, Slackware, Ubuntu (elementary OS)
Posts: 6

Rep: Reputation: Disabled
Talking Routing to a https webserver in a local network with iptables


Hello,

The network I work on is divided in two :
- A Livebox with DNS/DHCP services running and a routing (with NAT) to my local server (fixed IP : 192.168.1.2) for HTTP/HTTPS/SSH...
-> this Livebox supports Wifi connections, a MFP (fixed IP), a false fileserver (an old XP with shared folders... ) on 192.168.1.* IP addresses
- My Slackware 14.1 LAN server with dnsmasq, firewall, httpd, ntpd and squid running to manage the local network composed of public accessed computers. It also hosted a tiny (my use only) owncloud instance until today. The DHCP offers 192.168.2.* IP addresses.

I am migrating the shared folders on a dedicated local webserver running httpd, mysqld. I want to manage the shared files with an owncloud service (the actual server is showing some weaknesses and the tiny local server won't take the load).

I hope this was a clear enough presentation of the network...

So, I deployed my new local webserver (a DELL optiplex 745 with RAID1 160Go SATA Hard Drives, which is largely sufficient for the use) on the 'public' local network (behind my Slackware routeur/lan server).
I then tried to route all HTTPS requests from 192.168.1.* to my new server whose IP is leased by dnsmasq on the local server (192.168.2.254) with IPTables like this :

Code:
#!/bin/sh
#
# /etc/rc.d/rc.firewall

IPT=$(which iptables)
MOD=$(which modprobe)
IFACE_INET=eth0
IFACE_LAN=eth1

function start {
  
  # Default policies
  $IPT -P INPUT DROP
  $IPT -P FORWARD ACCEPT
  $IPT -P OUTPUT ACCEPT

  # Trust ourselves
  $IPT -A INPUT -i lo -j ACCEPT

  # Ping
  $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
  $IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

  # Established connections
  $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  # Local FTP 
  # $MOD ip_conntrack_ftp
  # $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT

  # Local SSH 
  $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 22 -j ACCEPT

  # Limited SSH from the outside
  $IPT -A INPUT -p tcp -i $IFACE_INET --dport 22 -m state --state NEW \
         -m recent --set --name SSH
  $IPT -A INPUT -p tcp -i $IFACE_INET --dport 22 -m state --state NEW \
         -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j DROP
  $IPT -A INPUT -p tcp -i $IFACE_INET --dport 22 -j ACCEPT

  # DNS 
  $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 53 -j ACCEPT
  $IPT -A INPUT -p udp -i $IFACE_LAN --dport 53 -j ACCEPT

  # DHCP
  $IPT -A INPUT -p udp -i $IFACE_LAN --dport 67:68 -j ACCEPT

  # HTTP 
  $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 80 -j ACCEPT
  $IPT -A INPUT -p tcp -i $IFACE_INET --dport 80 -j ACCEPT
  #$IPT -A INPUT -p tcp -i $IFACE_INET --dport 80 -j ACCEPT

  # HTTPS 
  #$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 443 -j ACCEPT
  #$IPT -A INPUT -p tcp -i $IFACE_INET --dport 443 -j ACCEPT
  $IPT -A PREROUTING -t nat -i $IFACE_INET -p tcp --dport 443 \
    -j DNAT --to-destination 192.168.2.254:443

  # NTP 
  $IPT -A INPUT -p udp -i $IFACE_LAN --dport 123 -j ACCEPT

  # Squid 
  $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3128 -j ACCEPT
  $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3128 -j ACCEPT

  # Transparent proxy : redirect all HTTP requests except those for the server
  # itself to port 3128
  $IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d 192.168.2.1 \
                 --dport 80 -j REDIRECT --to-port 3128

  # MPD 
  # $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 8000 -j ACCEPT

  # Relais des paquets
  $IPT -t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -j MASQUERADE

  # Log rejected connections
  $IPT -A INPUT -j LOG --log-prefix "+++ IPv4 packet rejected +++"
  $IPT -A INPUT -j REJECT

}

function stop {

  # Set default policies to ACCEPT everything
  $IPT -t filter -P INPUT ACCEPT
  $IPT -t filter -P FORWARD ACCEPT
  $IPT -t filter -P OUTPUT ACCEPT
  $IPT -t nat -P PREROUTING ACCEPT
  $IPT -t nat -P INPUT ACCEPT
  $IPT -t nat -P OUTPUT ACCEPT
  $IPT -t nat -P POSTROUTING ACCEPT
  $IPT -t mangle -P PREROUTING ACCEPT
  $IPT -t mangle -P INPUT ACCEPT
  $IPT -t mangle -P FORWARD ACCEPT
  $IPT -t mangle -P OUTPUT ACCEPT
  $IPT -t mangle -P POSTROUTING ACCEPT

  # Zero out all counters
  $IPT -t filter -Z
  $IPT -t nat -Z
  $IPT -t mangle -Z

  # Flush all active rules and delete all custom chains
  $IPT -t filter -F
  $IPT -t filter -X
  $IPT -t nat -F
  $IPT -t nat -X
  $IPT -t mangle -F
  $IPT -t mangle -X

}

# rc.firewall { start | restart | stop | status }
case $1 in
  start)
    echo ":: Starting firewall."
    stop
    start
    ;;
  stop)
    echo ":: Stopping firewall."
    stop
    ;;
  restart)
    echo ":: Stopping firewall."
    stop
    echo ":: Starting firewall."
    start
    ;;
  status)
    echo
    echo "=== Filter table ==="
    echo 
    $IPT -L -v -n
    echo
    echo "==== NAT table ====="
    echo 
    $IPT -t nat -L -v -n
    echo
  ;;
  *)
  echo "Usage: $0 {start|stop|restart|status}"
esac
When I restart my rc.firewall script, it stops and starts but it answers me : "iptables: No chain/target/match by that name."

I read a lot of iptables documentation and admins'blogs and I can't see what I'm doing wrong !

Would you please, help me ?
 
Old 09-23-2016, 03:46 PM   #2
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,839

Rep: Reputation: 160Reputation: 160
You can compare with iptables -vL to find out which rule is bad.
 
Old 09-23-2016, 04:32 PM   #3
TomToOmUch
LQ Newbie
 
Registered: Apr 2014
Location: Montpellier, France
Distribution: Slackware, Slackware, Slackware, Ubuntu (elementary OS)
Posts: 6

Original Poster
Rep: Reputation: Disabled
Hi, thanks for your reply...

The PREROUTING chain doesn't appear on the list of chain with the command you suggested me.
By the way, I'm reading iptables manpage more thoroughly so I can better understand all this is about...

Iptables is Huge !

Thanks,
I'll keep you posted
 
Old 09-23-2016, 05:10 PM   #4
TomToOmUch
LQ Newbie
 
Registered: Apr 2014
Location: Montpellier, France
Distribution: Slackware, Slackware, Slackware, Ubuntu (elementary OS)
Posts: 6

Original Poster
Rep: Reputation: Disabled
Hi again,

I think my mistake is I don't have any FORWARD chain so the requests from my 192.168.1.* network can't go through to my 192.168.2.* network ! I'll explore this lead and post again !

Thx
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Trouble connecting to my local Apache webserver on the same network. pjk1939 Linux - Server 2 10-25-2014 12:34 PM
Local webserver using dnsmasq to forward https M4DM4NZ Linux - Newbie 1 04-10-2014 05:13 PM
can't acces local network webserver as user adibuta Slackware 4 01-13-2006 04:52 AM
How to make HTTPS dir accessible only from local network and one IP adress nevarlen Linux - Security 4 02-12-2005 12:09 AM
IPTABLES and local Webserver mpgram Linux - Security 4 05-06-2004 01:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration