LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   What's wrong with my iptable rules (https://www.linuxquestions.org/questions/linux-networking-3/whats-wrong-with-my-iptable-rules-907610/)

987geek 10-11-2011 12:37 PM
What's wrong with my iptable rules
 
Hey everybody
I want to have a small network consisting of three PCs, a client connected to one side of a tarnsparent bridge and the other side of the bridge is connected to a server. I want the requests from the client to pass throught the bridge first without the client knows. Now, I did the iptables rules of the bridge, and from the client if I requested an http page on the server (I installed httpd on the server and put a simple http page in the www)it doesnt respond, so I was asking what may be going wrong.
both client and server are fedora, the bridge is ubuntu.
the iptable rules on the bridge

iptables -F
iptables -X

iptables -I FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp -m physdev --physdev-in eth0 --physdev-out eth1 -d 192.168.1.5 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -m physdev --physdev-in eth1 --physdev-out eth0 -m state --state RELATED,ESTABLISHED --dport 80 -j ACCEPT
iptables -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -j REJECT

and to make the bridge
sudo ifconfig eth0 promisc up
sudo ifconfig eth1 promisc up
sudo brctl addbr br0
sudo brctl addif br0 eth0
sudo brctl addif br0 eth1
sudo ifconfig eth0 0.0.0.0 up
sudo ifconfig eth1 0.0.0.0 up
sudo ifconfig br0 up

I'll appreciate any help :)
thanks!!

fukawi1 10-12-2011 05:01 AM
From a firewall perspective you need a rule to actually forward the traffic through the bridge, something along the lines of:
Code:
iptables -A PREROUTING -p tcp --dport 80 -i $client_facing_eth -j DNAT --to 192.168.1.5:80
But i havent done much with bridges, so that will probably need some work to accommodate the bridging side of things.

987geek 10-12-2011 05:57 AM
Thanks!
 
thanks for your help, but there is something worth mentioning, that I'll need to redirect all the incoming requests to the bridge on port 80 to another port on the bridge also (for example 6000) because I'll have a program on the bridge listening to this port and do the needed processing. I just omitted this part now for testing, but what I planed to write is

sudo iptables -A FORWARD -p tcp --dport 6000 -j ACCEPT
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp -dport 80 -j REDIRECT --to-port 6000

I really don’t know if it will work or not, I need help with the base part first! :)

987geek 10-14-2011 06:00 AM
help!
 
anybody here??!


All times are GMT -5. The time now is 11:45 PM.