Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I know probably that question has been asked, but i didn't find the answer after 3 days of research over the internet.
- I have a webserver running on port 80.
- I have a firewall which serve as a router for that webserver.
- I'm using iptables for the firewall rules.
- My firewall has 2 nic, eth0 for internet and eth1 for LAN.
I want to knowd what are the commands i must execute if i want to redirect all the request on my firewall on port 80 to my webserver on the port 80.
where xxx... is your external IP
and yyy... is the IP of the internal webserver
You'll likely also need forwarding rules to move packets across interfaces:
Code:
iptables -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
I'd recommend putting them in a script along with the other standard firewall rules (default input and forward drop policies, access to other ports, logging rules. etc). Then have the script automatically run at boot.
Last edited by Capt_Caveman; 04-20-2004 at 08:38 PM.
AFAIK, that behavior (where every packet would go through all three chains) was only in IPchains. If you look at the sequence of how incoming packets are handled, (I suck at ASCII art, so here is a good visual), you can see that there is a routing decision after the PREROUTING chain. If the packet is local, then it goes through the standard iptables packet filter chains(INPUT, OUTPUT, etc). If it's not destined locally, it goes to the FORWARD chain. If it makes it through FORWARD, then it goes to POSTROUTING (note that it completely skipped the INPUT and OUTPUT chains of the packet filter) and then hits the wire again.
If you think about it, it kind of does make sense. With something doing any kind of relatively high-load routing, you wouldn't want every single packet to go through the filter otherwise you would create a serious load on the router itself as well as creating a pretty substantial bottleneck. You can actually try it: Add a DROP rule to the top of the input chain that matches port 80 packets, you'll see that the traffic still goes through.
So everything that come from anywere trying to acces your address of your server (196.25.106.24) whit example http://196.25.106.24 will be directionatly in your network to the webserver that has the ip 192.168.0.4. I hope that i have been understandble.
So everything that come from anywere trying to acces your address of your server (196.25.106.24) whit example http://196.25.106.24 will be directionatly in your network to the webserver that has the ip 192.168.0.4. I hope that i have been understandble.
I wouldn't recommend doing that. You're basically turning your firewall into a router and forwarding all the traffic into the LAN. So then you'll have to do any filtering on the webserver itself and you'll take a performance hit by allowing scans and other garbage into the LAN. Another problem with that is if any of the DNAT'ed traffic get's dropped by the webserver firewall, you'll have a bunch of hung entries in the firewalls state table that will sit there until the timeout is reached. Better to just block everything at the border firewall and allow only those ports you specifically need to be forwarded into the LAN. In terms of security, it's really much better to do any routing/filtering tasks on a system that doesn't have any public services on it.
--------------------------------------------------------------------------------------------
I did what you told me to do but i think my masquerade rule isn't right;
My webserver can now go and browse te internet, but when i try to access my web page, it says "could not connectd to remote server". here is the script i run for my firewall rules:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.