Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
06-17-2004, 04:48 PM
|
#1
|
LQ Newbie
Registered: May 2004
Distribution: Fedora Core 1
Posts: 11
Rep:
|
Server doesn't work with port forwarding enables
I have a Linux box set up as a gateway for my internal network. I'm using the same machine as an Apache webserver. I am able to connect to my server remotely if I disable port forwarding; however, if port forwarding is enabled, it won't work. I have computers behind the gateway that must access the internet, so I can't disable port forwarding. Any help would be appreciated. Thanks
|
|
|
06-17-2004, 05:10 PM
|
#2
|
Senior Member
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458
Rep:
|
What firewall rules do you have?
do iptables-save to show all active rules..
When you say 'connect', what do you mean? ssh, http, ping ? etc
|
|
|
06-17-2004, 06:14 PM
|
#3
|
LQ Newbie
Registered: May 2004
Distribution: Fedora Core 1
Posts: 11
Original Poster
Rep:
|
I mean connecting with http on port 80. Here are my rules, where xxx.xxx.xxx.xxx is the ip address of eth0. They were generated using Firewall Builder.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:RULE_1 - [0:0]
:RULE_9 - [0:0]
:eth0_In_RULE_0 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j eth0_In_RULE_0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 2542 -m state --state NEW -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 2542 -m state --state NEW -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 7001 -m state --state NEW -j RULE_1
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 7001 -m state --state NEW -j RULE_1
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 10071 -m state --state NEW -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 10071 -m state --state NEW -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.1 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.1 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.8/255.255.255.248 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.8/255.255.255.248 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.4/255.255.255.252 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.4/255.255.255.252 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.254 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.254 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.16/255.255.255.248 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.16/255.255.255.248 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.24 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.24 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.0.0 -m state --state NEW -j ACCEPT
-A INPUT -j RULE_9
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j eth0_In_RULE_0
-A FORWARD -s 192.168.0.0/255.255.0.0 -m state --state NEW -j ACCEPT
-A FORWARD -j RULE_9
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 192.168.1.1 -p tcp -m tcp --dport 2542 -m state --state NEW -j ACCEPT
-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 2542 -m state --state NEW -j ACCEPT
-A OUTPUT -d 192.168.1.1 -p tcp -m tcp --dport 7001 -m state --state NEW -j RULE_1
-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 7001 -m state --state NEW -j RULE_1
-A OUTPUT -d 192.168.1.1 -p tcp -m tcp --dport 10071 -m state --state NEW -j ACCEPT
-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 10071 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.1.1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -d 192.168.1.1 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -d 192.168.1.1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.1.1 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.1.1 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.1.1 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.1.1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.0.0/255.255.0.0 -m state --state NEW -j ACCEPT
-A OUTPUT -j RULE_9
-A RULE_1 -j LOG --log-prefix "RULE 1 -- ACCEPT " --log-level 6
-A RULE_1 -j ACCEPT
-A RULE_9 -j LOG --log-prefix "RULE 9 -- DENY " --log-level 6
-A RULE_9 -j DROP
-A eth0_In_RULE_0 -j LOG --log-prefix "RULE 0 -- DENY " --log-level 6
-A eth0_In_RULE_0 -j DROP
COMMIT
# Completed on Thu Jun 17 16:07:15 2004
# Generated by iptables-save v1.2.9 on Thu Jun 17 16:07:15 2004
*nat
:PREROUTING ACCEPT [2694:263377]
:POSTROUTING ACCEPT [4666:283825]
:OUTPUT ACCEPT [5030:310941]
:Cid40D1FB72.0 - [0:0]
-A PREROUTING -d 192.168.1.1 -p tcp -m tcp --dport 10071 -j Cid40D1FB72.0
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 10071 -j Cid40D1FB72.0
-A POSTROUTING -s 192.168.0.0/255.255.0.0 -o eth0 -j SNAT --to-source xxx.xxx.xxx.xxx
-A Cid40D1FB72.0 -s 192.168.1.8/255.255.255.248 -j RETURN
-A Cid40D1FB72.0 -s 192.168.1.4/255.255.255.252 -j RETURN
-A Cid40D1FB72.0 -s 192.168.1.2/255.255.255.254 -j RETURN
-A Cid40D1FB72.0 -s 192.168.1.1 -j RETURN
-A Cid40D1FB72.0 -s 192.168.1.16/255.255.255.248 -j RETURN
-A Cid40D1FB72.0 -s 192.168.1.24 -j RETURN
-A Cid40D1FB72.0 -p tcp -m tcp --dport 10071 -j DNAT --to-destination 192.168.1.100
COMMIT
|
|
|
06-17-2004, 07:21 PM
|
#4
|
Senior Member
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458
Rep:
|
YUK...
very messy rules..
Lots of duplicated rules and bad netmasks...
No interface specifications either..
Let me look at them in the morning...
There is something else apart from the rules not working tho'..
|
|
|
06-17-2004, 07:30 PM
|
#5
|
LQ Newbie
Registered: May 2004
Distribution: Fedora Core 1
Posts: 11
Original Poster
Rep:
|
Here is a much simpler set of rules I was using previously. I still had the same problem with these rules.
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
06-18-2004, 02:12 PM
|
#6
|
LQ Newbie
Registered: May 2004
Distribution: Fedora Core 1
Posts: 11
Original Poster
Rep:
|
I decided to disable my Linux machine's routing capabilities and hooked it up to a linksys router. I disabled packet forwarding and set the linux box up as a DMZ host, but it still won't work. I also tried to use the router's port forwarding capabilities (which I successfully used several months ago) to forward all port 80 traffic to the linux system, but that doesn't even work anymore. I would greatly appreciate any help you could give me. Thanks a lot!
|
|
|
06-18-2004, 05:23 PM
|
#7
|
LQ Newbie
Registered: May 2004
Distribution: Fedora Core 1
Posts: 11
Original Poster
Rep:
|
Does anyone at least have an idea how I can see what's happening to the data so I can narrow the problem down? Thanks
|
|
|
06-19-2004, 10:57 AM
|
#8
|
Senior Member
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458
Rep:
|
Ok,
clear out the iptables rules, do service iptables stop
then do iptables -t nat -A PREROUTING -j LOG --log-prefix "incoming "
and tail -f /var/log/messages to watch the LOG entries
This will show incoming connections on any interface..
Also you can use tcpdump -i eth0
more details are in man tcpdump
|
|
|
All times are GMT -5. The time now is 03:09 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|