Problem with Iptables

[longvnit]

Hi,
I just install 1 firewall using Iptables.
Firewall includes 2 NIC:
NIC1 <IP PUBLIC>
NIC2 192.168.10.1

I installed 1 web server IP: 192.168.10.2
I have some PC IP range: 192.168.10.10->20

I set rules NAT on firewall and PC & web server can connect internet good, but i have problems:
When PC access to web server with IP 192.168.10.2 that ok, but PC can't access to web server when using IP PUBLIC.
But i outside internet, i can access to web server using IP PUBLIC.

Rules on IPTables

Code:

# Generated by iptables-save v1.3.5 on Sun Mar  7 21:01:16 2010
*nat
:PREROUTING ACCEPT [950:126970]
:POSTROUTING ACCEPT [89:5880]
:OUTPUT ACCEPT [19:1342]

-A PREROUTING -d 209.99.242.124 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -j SNAT --to-source 209.99.242.124
*filter
:INPUT DROP [1599:157409]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [232:34452]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -p tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth1 -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -o eth1 -j ACCEPT 
COMMIT

Please help me !

[its_really_me]

longvnit,

you must use something which is called hairpinning. It allows that traffic going out the firewall can conect to it's own public IP address on a different port.

A rule may look like this:

iptables -t nat -A POSTROUTING -i $LAN -o $LAN -j SNAT

where $LAN is the LAN IP. I would have to try myself again to confirm that the command would work as given.

[zombykillah]

I am a little troubled to get your problem ...

As far as I understand:
You can access your local Web-Server from your local Network (192.168.10.0/24)
You can access all Internet locations from your local Network
Your prerouting from the Internet to your local web-server isn't working?

You may wanna try to make the prerouting less specific...

-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80

should be enough.

[longvnit]

longvnit,

you must use something which is called hairpinning. It allows that traffic going out the firewall can conect to it's own public IP address on a different port.

A rule may look like this:

iptables -t nat -A POSTROUTING -i $LAN -o $LAN -j SNAT

where $LAN is the LAN IP. I would have to try myself again to confirm that the command would work as given.

Thanks for your reply. You understood my problem. I tried the hairpinning technique and wasn't able to get it to work. Are there other techniques would allow me to do the same thing?

[Lazydog]

Try these rules

Code:

# Generated by Lazydog on Linuxforums.org Sat Apr 10 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LAN - [0:0]
:WAN - [0:0]
# Setup NaATting for web access
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2
# MASQ all traffic leaving the network
-A POSTROUTING -o eth0 -j MASQUERADE
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Allow all INPUT from the LAN and LO interface
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -m state --state NEW -j ACCEPT
-A INPUT -j DROP
# Forward to look at chians for interfaces that traffic is coming in on
-A FORWARD -i eth0 -j WAN
-A FORWARD -i eth1 -j LAN
# FORWARD rules for packets coming in on the LAN side
-A LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A LAN -m state --state NEW -j ACCEPT 
# FORWARD rules for the packets coming in on the WAN side
-A WAN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A WAN -p tcp -m tcp -m state --dport 80 --state NEW -j ACCEPT
-A WAN -j DROP

I turned your rules into a STATEFUL firewall. I did not add any OUTPUT rules as the policy is accept. For the FORWARD rules I moved them into chains as I believe they are easier to mange this way. I also use MASQ instead of SNAT so that should your IP Address ever change for any reason you will still be functional.