I know probably that question has been asked, but i didn't find the answer after 3 days of research over the internet.

- I have a webserver running on port 80.
- I have a firewall which serve as a router for that webserver.
- I'm using iptables for the firewall rules.
- My firewall has 2 nic, eth0 for internet and eth1 for LAN.

I want to knowd what are the commands i must execute if i want to redirect all the request on my firewall on port 80 to my webserver on the port 80.



Thanks for the answer.

This rule will redirect packets to the internal webserver:

where xxx... is your external IP
and yyy... is the IP of the internal webserver

You'll likely also need forwarding rules to move packets across interfaces:


I'd recommend putting them in a script along with the other standard firewall rules (default input and forward drop policies, access to other ports, logging rules. etc). Then have the script automatically run at boot.

dont forget to open up the port 80 from the internet to your firewall...

Do you mean open port 80 on the webserver? You shouldn't need anymore rules on the firewall to allow incoming packets.

i thought that you needed to allow the incomming packets through eth0 otherwise the firewall will block it before it gets forwarded??

AFAIK, that behavior (where every packet would go through all three chains) was only in IPchains. If you look at the sequence of how incoming packets are handled, (I suck at ASCII art, so here is a good visual), you can see that there is a routing decision after the PREROUTING chain. If the packet is local, then it goes through the standard iptables packet filter chains(INPUT, OUTPUT, etc). If it's not destined locally, it goes to the FORWARD chain. If it makes it through FORWARD, then it goes to POSTROUTING (note that it completely skipped the INPUT and OUTPUT chains of the packet filter) and then hits the wire again.

If you think about it, it kind of does make sense. With something doing any kind of relatively high-load routing, you wouldn't want every single packet to go through the filter otherwise you would create a serious load on the router itself as well as creating a pretty substantial bottleneck. You can actually try it: Add a DROP rule to the top of the input chain that matches port 80 packets, you'll see that the traffic still goes through.

I did what you told me to do but i think my masquerade rule isn't right;

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Could you post your entire ruleset w/ any identifiable IPs removed?

You could try write this in your iptables script:

iptables -t nat -A PREROUTING -s 0.0.0.0 -d (the ip of your server) -j DNAT --to-destination (and here the ip in your network for example 192.168.0.2)

Let's say that your server has the next ip : 196.25.106.34
Your network ip were is the web server is : 192.168.0.4 ok

You write like this in your iptables script:

iptables -t nat -A PREROUTING -s 0.0.0.0 -d 196.25.106.34 -j DNAT --to-destination 192.168.0.4

So everything that come from anywere trying to acces your address of your server (196.25.106.24) whit example http://196.25.106.24 will be directionatly in your network to the webserver that has the ip 192.168.0.4. I hope that i have been understandble.

I wouldn't recommend doing that. You're basically turning your firewall into a router and forwarding all the traffic into the LAN. So then you'll have to do any filtering on the webserver itself and you'll take a performance hit by allowing scans and other garbage into the LAN. Another problem with that is if any of the DNAT'ed traffic get's dropped by the webserver firewall, you'll have a bunch of hung entries in the firewalls state table that will sit there until the timeout is reached. Better to just block everything at the border firewall and allow only those ports you specifically need to be forwarded into the LAN. In terms of security, it's really much better to do any routing/filtering tasks on a system that doesn't have any public services on it.

--------------------------------------------------------------------------------------------
I did what you told me to do but i think my masquerade rule isn't right;

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Raphael_T
-------------------------------------------------------------------------------------------

Raphael_T why don't you masquerade only the ones that you want and use this this command:

iptables -t nat -A POSTROUTING -s xxx.xxx.xxx.xxx -j SNAT --to-source yyy.yyy.yyy.yyy

where xxx... is your network ip
and yyy... is the public IP

You could doenload this pdf file and see how to use iptables when you have something in the back of the server :

http://www.davidcoulson.net/writing/lxf/39/iptables.pdf

Youre right Capt_Caveman i have screwed up.

CYA

My webserver can now go and browse te internet, but when i try to access my web page, it says "could not connectd to remote server". here is the script i run for my firewall rules:



-------------
#!/bin/sh
FWVER=0.75
echo -e "\n\nLoading simple rc.firewall version $FWVER ... "

IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe

EXTIF="eth1"
INTIF="eth0"
echo " External interface is $EXTIF"
echo " Internal interface is $INTIF"

#echo -en " Loading modules:\n"
#echo " Verifying that all kernel modules are ok "
#$DEPMOD -a

echo "--------------------------------------------------"
echo -en "\nip_tables"
$MODPROBE ip_tables
echo -en "\nip_conntrack"
$MODPROBE ip_conntrack
echo -en "\nip_conntrack_ftp"
$MODPROBE ip_conntrack_ftp
echo -en "\nip_conntrack_irc"
$MODPROBE ip_conntrack_irc
echo -en "\nip_nat"
$MODPROBE ip_nat
echo -en "\nip_nat_ftp"
$MODPROBE ip_nat_ftp
echo -en "\nip_nat_irc"
$MODPROBE ip_nat_irc
echo -en "\n--------------------------------------------------"
echo -en "\nDone loading modules "
echo -en "\nEnabling forwarding"
echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

#Enter configuration rules here
$IPTABLES -t nat -A PREROUTING -d yyy.yyy.yyy.yyy -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination xxx.xxx.xxx.xxx
$IPTABLES -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -o eth1 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s xxx.xxx.xxx.xxx -j SNAT --to-source yyy.yyy.yyy.yyy



echo -e "\nFirewall rules applied\n"


--------------------------------------

where xxx.xxx.xxx.xxx is my internal address
where yyy.yyy.yyy.yyy ix my internet address

I ran nmap on my firewall from a computer outside my network and port 80 seems to be close on my firewall. Is this can be the problem ?

of course is a problem . If an client request to view your webpage the server will not respont to your client.

How can I open port 80 on my firewall if I want to forward the requests ?