Find the answer to your Linux question:
Results 1 to 5 of 5
Hi, I just install 1 firewall using Iptables. Firewall includes 2 NIC: NIC1 <IP PUBLIC> NIC2 192.168.10.1 I installed 1 web server IP: 192.168.10.2 I have some PC IP range: ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2009
    Posts
    9

    Problem with Iptables


    Hi,
    I just install 1 firewall using Iptables.
    Firewall includes 2 NIC:
    NIC1 <IP PUBLIC>
    NIC2 192.168.10.1

    I installed 1 web server IP: 192.168.10.2
    I have some PC IP range: 192.168.10.10->20

    I set rules NAT on firewall and PC & web server can connect internet good, but i have problems:
    When PC access to web server with IP 192.168.10.2 that ok, but PC can't access to web server when using IP PUBLIC.
    But i outside internet, i can access to web server using IP PUBLIC.

    Rules on IPTables

    Code:
    # Generated by iptables-save v1.3.5 on Sun Mar  7 21:01:16 2010
    *nat
    :PREROUTING ACCEPT [950:126970]
    :POSTROUTING ACCEPT [89:5880]
    :OUTPUT ACCEPT [19:1342]
    
    -A PREROUTING -d 209.99.242.124 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80
    -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j SNAT --to-source 209.99.242.124
    *filter
    :INPUT DROP [1599:157409]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [232:34452]
    -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A FORWARD -i eth1 -o eth0 -j ACCEPT
    -A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -p tcp --dport 80 -j ACCEPT
    -A INPUT -i lo -j ACCEPT 
    -A INPUT -i eth1 -j ACCEPT 
    -A OUTPUT -o lo -j ACCEPT 
    -A OUTPUT -o eth1 -j ACCEPT 
    COMMIT
    Please help me !

  2. #2
    Just Joined! its_really_me's Avatar
    Join Date
    Mar 2010
    Location
    Germany
    Posts
    25
    longvnit,

    you must use something which is called hairpinning. It allows that traffic going out the firewall can conect to it's own public IP address on a different port.

    A rule may look like this:

    iptables -t nat -A POSTROUTING -i $LAN -o $LAN -j SNAT

    where $LAN is the LAN IP. I would have to try myself again to confirm that the command would work as given.

  3. #3
    Linux User
    Join Date
    Dec 2009
    Posts
    264
    I am a little troubled to get your problem ...

    As far as I understand:
    You can access your local Web-Server from your local Network (192.168.10.0/24)
    You can access all Internet locations from your local Network
    Your prerouting from the Internet to your local web-server isn't working?

    You may wanna try to make the prerouting less specific...
    -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80
    should be enough.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Nov 2009
    Posts
    9
    Quote Originally Posted by its_really_me View Post
    longvnit,

    you must use something which is called hairpinning. It allows that traffic going out the firewall can conect to it's own public IP address on a different port.

    A rule may look like this:

    iptables -t nat -A POSTROUTING -i $LAN -o $LAN -j SNAT

    where $LAN is the LAN IP. I would have to try myself again to confirm that the command would work as given.
    Thanks for your reply. You understood my problem. I tried the hairpinning technique and wasn't able to get it to work. Are there other techniques would allow me to do the same thing?

  6. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Try these rules

    Code:
    # Generated by Lazydog on Linuxforums.org Sat Apr 10 2010
    *nat
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :LAN - [0:0]
    :WAN - [0:0]
    # Setup NaATting for web access
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2
    # MASQ all traffic leaving the network
    -A POSTROUTING -o eth0 -j MASQUERADE
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    # Allow all INPUT from the LAN and LO interface
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i eth1 -m state --state NEW -j ACCEPT
    -A INPUT -j DROP
    # Forward to look at chians for interfaces that traffic is coming in on
    -A FORWARD -i eth0 -j WAN
    -A FORWARD -i eth1 -j LAN
    # FORWARD rules for packets coming in on the LAN side
    -A LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A LAN -m state --state NEW -j ACCEPT 
    # FORWARD rules for the packets coming in on the WAN side
    -A WAN -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A WAN -p tcp -m tcp -m state --dport 80 --state NEW -j ACCEPT
    -A WAN -j DROP
    I turned your rules into a STATEFUL firewall. I did not add any OUTPUT rules as the policy is accept. For the FORWARD rules I moved them into chains as I believe they are easier to mange this way. I also use MASQ instead of SNAT so that should your IP Address ever change for any reason you will still be functional.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •