Results 1 to 5 of 5
Thread: Problem with Iptables
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Nov 2009
Problem with Iptables
I just install 1 firewall using Iptables.
Firewall includes 2 NIC:
NIC1 <IP PUBLIC>
I installed 1 web server IP: 192.168.10.2
I have some PC IP range: 192.168.10.10->20
I set rules NAT on firewall and PC & web server can connect internet good, but i have problems:
When PC access to web server with IP 192.168.10.2 that ok, but PC can't access to web server when using IP PUBLIC.
But i outside internet, i can access to web server using IP PUBLIC.
Rules on IPTables
# Generated by iptables-save v1.3.5 on Sun Mar 7 21:01:16 2010 *nat :PREROUTING ACCEPT [950:126970] :POSTROUTING ACCEPT [89:5880] :OUTPUT ACCEPT [19:1342] -A PREROUTING -d 184.108.40.206 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80 -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j SNAT --to-source 220.127.116.11 *filter :INPUT DROP [1599:157409] :FORWARD DROP [0:0] :OUTPUT ACCEPT [232:34452] -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth0 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -p tcp --dport 80 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth1 -j ACCEPT COMMIT
you must use something which is called hairpinning. It allows that traffic going out the firewall can conect to it's own public IP address on a different port.
A rule may look like this:
iptables -t nat -A POSTROUTING -i $LAN -o $LAN -j SNAT
where $LAN is the LAN IP. I would have to try myself again to confirm that the command would work as given.
- Join Date
- Dec 2009
I am a little troubled to get your problem ...
As far as I understand:
You can access your local Web-Server from your local Network (192.168.10.0/24)
You can access all Internet locations from your local Network
Your prerouting from the Internet to your local web-server isn't working?
You may wanna try to make the prerouting less specific...
-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80
- Join Date
- Nov 2009
Try these rules
# Generated by Lazydog on Linuxforums.org Sat Apr 10 2010 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :LAN - [0:0] :WAN - [0:0] # Setup NaATting for web access -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2 # MASQ all traffic leaving the network -A POSTROUTING -o eth0 -j MASQUERADE *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Allow all INPUT from the LAN and LO interface -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth1 -m state --state NEW -j ACCEPT -A INPUT -j DROP # Forward to look at chians for interfaces that traffic is coming in on -A FORWARD -i eth0 -j WAN -A FORWARD -i eth1 -j LAN # FORWARD rules for packets coming in on the LAN side -A LAN -m state --state RELATED,ESTABLISHED -j ACCEPT -A LAN -m state --state NEW -j ACCEPT # FORWARD rules for the packets coming in on the WAN side -A WAN -m state --state RELATED,ESTABLISHED -j ACCEPT -A WAN -p tcp -m tcp -m state --dport 80 --state NEW -j ACCEPT -A WAN -j DROP
The adventure of a life time.
Linux User #296285