LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-17-2004, 04:48 PM   #1
Dawyea
LQ Newbie
 
Registered: May 2004
Distribution: Fedora Core 1
Posts: 11

Rep: Reputation: 0
Server doesn't work with port forwarding enables


I have a Linux box set up as a gateway for my internal network. I'm using the same machine as an Apache webserver. I am able to connect to my server remotely if I disable port forwarding; however, if port forwarding is enabled, it won't work. I have computers behind the gateway that must access the internet, so I can't disable port forwarding. Any help would be appreciated. Thanks
 
Old 06-17-2004, 05:10 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
What firewall rules do you have?
do iptables-save to show all active rules..

When you say 'connect', what do you mean? ssh, http, ping ? etc
 
Old 06-17-2004, 06:14 PM   #3
Dawyea
LQ Newbie
 
Registered: May 2004
Distribution: Fedora Core 1
Posts: 11

Original Poster
Rep: Reputation: 0
I mean connecting with http on port 80. Here are my rules, where xxx.xxx.xxx.xxx is the ip address of eth0. They were generated using Firewall Builder.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:RULE_1 - [0:0]
:RULE_9 - [0:0]
:eth0_In_RULE_0 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j eth0_In_RULE_0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 2542 -m state --state NEW -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 2542 -m state --state NEW -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 7001 -m state --state NEW -j RULE_1
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 7001 -m state --state NEW -j RULE_1
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 10071 -m state --state NEW -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 10071 -m state --state NEW -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.1 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.1 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.8/255.255.255.248 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.8/255.255.255.248 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.4/255.255.255.252 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.4/255.255.255.252 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.254 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.254 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.16/255.255.255.248 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.16/255.255.255.248 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.24 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.24 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.0.0 -m state --state NEW -j ACCEPT
-A INPUT -j RULE_9
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j eth0_In_RULE_0
-A FORWARD -s 192.168.0.0/255.255.0.0 -m state --state NEW -j ACCEPT
-A FORWARD -j RULE_9
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 192.168.1.1 -p tcp -m tcp --dport 2542 -m state --state NEW -j ACCEPT
-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 2542 -m state --state NEW -j ACCEPT
-A OUTPUT -d 192.168.1.1 -p tcp -m tcp --dport 7001 -m state --state NEW -j RULE_1
-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 7001 -m state --state NEW -j RULE_1
-A OUTPUT -d 192.168.1.1 -p tcp -m tcp --dport 10071 -m state --state NEW -j ACCEPT
-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 10071 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.1.1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -d 192.168.1.1 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -d 192.168.1.1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.1.1 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.1.1 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.1.1 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.1.1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.0.0/255.255.0.0 -m state --state NEW -j ACCEPT
-A OUTPUT -j RULE_9
-A RULE_1 -j LOG --log-prefix "RULE 1 -- ACCEPT " --log-level 6
-A RULE_1 -j ACCEPT
-A RULE_9 -j LOG --log-prefix "RULE 9 -- DENY " --log-level 6
-A RULE_9 -j DROP
-A eth0_In_RULE_0 -j LOG --log-prefix "RULE 0 -- DENY " --log-level 6
-A eth0_In_RULE_0 -j DROP
COMMIT
# Completed on Thu Jun 17 16:07:15 2004
# Generated by iptables-save v1.2.9 on Thu Jun 17 16:07:15 2004
*nat
:PREROUTING ACCEPT [2694:263377]
:POSTROUTING ACCEPT [4666:283825]
:OUTPUT ACCEPT [5030:310941]
:Cid40D1FB72.0 - [0:0]
-A PREROUTING -d 192.168.1.1 -p tcp -m tcp --dport 10071 -j Cid40D1FB72.0
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 10071 -j Cid40D1FB72.0
-A POSTROUTING -s 192.168.0.0/255.255.0.0 -o eth0 -j SNAT --to-source xxx.xxx.xxx.xxx
-A Cid40D1FB72.0 -s 192.168.1.8/255.255.255.248 -j RETURN
-A Cid40D1FB72.0 -s 192.168.1.4/255.255.255.252 -j RETURN
-A Cid40D1FB72.0 -s 192.168.1.2/255.255.255.254 -j RETURN
-A Cid40D1FB72.0 -s 192.168.1.1 -j RETURN
-A Cid40D1FB72.0 -s 192.168.1.16/255.255.255.248 -j RETURN
-A Cid40D1FB72.0 -s 192.168.1.24 -j RETURN
-A Cid40D1FB72.0 -p tcp -m tcp --dport 10071 -j DNAT --to-destination 192.168.1.100
COMMIT
 
Old 06-17-2004, 07:21 PM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
YUK...
very messy rules..
Lots of duplicated rules and bad netmasks...
No interface specifications either..

Let me look at them in the morning...
There is something else apart from the rules not working tho'..
 
Old 06-17-2004, 07:30 PM   #5
Dawyea
LQ Newbie
 
Registered: May 2004
Distribution: Fedora Core 1
Posts: 11

Original Poster
Rep: Reputation: 0
Here is a much simpler set of rules I was using previously. I still had the same problem with these rules.

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
 
Old 06-18-2004, 02:12 PM   #6
Dawyea
LQ Newbie
 
Registered: May 2004
Distribution: Fedora Core 1
Posts: 11

Original Poster
Rep: Reputation: 0
Angry

I decided to disable my Linux machine's routing capabilities and hooked it up to a linksys router. I disabled packet forwarding and set the linux box up as a DMZ host, but it still won't work. I also tried to use the router's port forwarding capabilities (which I successfully used several months ago) to forward all port 80 traffic to the linux system, but that doesn't even work anymore. I would greatly appreciate any help you could give me. Thanks a lot!
 
Old 06-18-2004, 05:23 PM   #7
Dawyea
LQ Newbie
 
Registered: May 2004
Distribution: Fedora Core 1
Posts: 11

Original Poster
Rep: Reputation: 0
Does anyone at least have an idea how I can see what's happening to the data so I can narrow the problem down? Thanks
 
Old 06-19-2004, 10:57 AM   #8
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Ok,
clear out the iptables rules, do service iptables stop

then do iptables -t nat -A PREROUTING -j LOG --log-prefix "incoming "
and tail -f /var/log/messages to watch the LOG entries
This will show incoming connections on any interface..

Also you can use tcpdump -i eth0
more details are in man tcpdump
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
port forwarding via web server nerd32768 Linux - Networking 1 09-21-2005 02:21 PM
Port forwarding simply won't work.. RoaCh Of DisCor Linux - Hardware 9 12-23-2004 06:07 PM
Port Forwarding does NOT work! The Pentium Guy Linux - Networking 4 10-31-2004 08:40 PM
Port forwarding does not work! philipina Linux - Networking 2 03-03-2004 03:15 AM
port forwarding does not work on additional ip addresses antken Linux - Networking 1 02-10-2004 07:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration