Problems with IPtables on Debian
Iv been sitting here for the last few days and cant seem to get hang of the iptables stuff.
How can I open port 80 to the web server whos on another box on the lan? I'v tried a zillion things but nothing works. :( All i found so far either old or for different distro and...well Iam about to give it up. Running fresh install of Debian with no gui btw. And how come port 22 is open? I thought I closed it. Code:
#!/bin/sh |
Kanon
If you want to redirect traffic to another box - port 80 on another box, you need to use PREROUTING and DNAT. iptables -A FORWARD -i eth0 -d <ip of webserver> -j ACCEPT iptables -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-dest <IP of webserver>:80 You have only closed ssh traffic going out. iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP will close port 22 to incoming traffic on eth0. the OUTPUT rule for port 22 is not necessary. Suggest you start your rules with iptables -P INPUT DROP iptables -P FORWARD DROP This will enforce the default deny stance, effectively seals your system. |
Working with iptables is an art as well as a science. Do you have to do it manually? Firestarter is an easy and fairly secure GUI. Shorewall or some other front-end for iptables is easier and as secure as you want to make it.
|
Quote:
|
Quote:
But I dont have PREROUTING. How do I add the file/filter? Im assuming its going into the netfilter. Thanks for the solution to port 22! :) |
Quote:
But you have to put echo 1 >/proc/sys/net/ipv4/ip_forward in order to make your machine able to forward packets. Just put this as last line inside your script Regards and best wishes :twocents: |
I got "echo 1 >/proc/sys/net/ipv4/ip_forward" as the last line. But I get "Unable to connect" in my browser. And I get ann error:
Code:
bound to my.static.ip.10 -- renewal in 10800 seconds. Thanks for helping me out here every one! :) |
My sincere apologies Kanon
the prerouting line should be iptables -t nat -A PREROUTING ... |
W00T!! I got no hair left now!! Just kidding :D
Ok, now its kinda working. Well, that is the port is open, but clients dont get any pages from the web server. This is my iptables now: Code:
#!/bin/sh Can any one see any problems with the table? Think Im going iptables-blind :P |
Try changing this line, the one right before your PREROUTING line
Code:
iptables -A FORWARD -i eth0 -d 192.168.0.120 -j ACCEPT Code:
iptables -A FORWARD -p tcp -d 192.168.0.120 --dport 80 -j ACCEPT Code:
iptables -A INPUT -p tcp -i eth0 -s 0.0.0.0/0 --dport 80 -j ACCEPT |
Hmm Did not help any. How can I check to see if the gw establishes connection at all between the machines?
|
It appears that you are trying to build a firewall to protect a home network on a DSL connection. May I suggest the nicely tailored setup HomeLANSecurity, which is easy to figure out & easy to add stuff for your specific purposes. It just makes a lot of sense to me, to use a mature configuration, in which someone has paid a lot of attention to details, and has had the benefit of many previous users' input. You can still modify it to your specification, in case it doesn't do everything you want (ie. hacking is encouragead).
--- rod. |
Yeah, looks good. And its cli too! :)
I'll have a go at it after a few hours of sleep :) Thanks all, for all the help!! :) |
All times are GMT -5. The time now is 10:44 PM. |