IPTables and web interface problems.

[Slyke]

Hey guys,

I'm having some issues configuring my iptables settings.

First of all my network:

Modem (Linux box):
eth0 = 10.0.0.1/255.0.0.0
eth1 = 12.0.0.2/255.255.255.252 (Virtual adapter)
ppp = DHCP via ISP (Bridged Ethernet from WAN card).

Laptop:
eth0 = 10.0.0.2/255.0.0.0

WAN Card:
eth0 = 12.0.0.1/255.255.255.252

I've got it setup that it's PPP over bridged Ethernet. The WAN card is a PCI card with it's own OS on it.

I've got masquerading working correctly and can connect to the internet just fine.

My problem is with my WAN card. The WAN card has its own telnet and http server on it, but I can only access it from the modem.

If I ping my eth1 on the modem (12.0.0.2) from the laptop (10.0.0.2) the ping is successful.

If I ping the WAN eth0 (12.0.0.1) from the laptop (10.0.0.2), the ping fails.

If I ping, telnet or lynx to the WAN eth0 (12.0.0.1) from my linux box, it works fine.

So basically, only the localhost can communicate with the WAN card's telnet, http etc. Another computer can't.

I believe this is a iptables problem so any help in this area is really appreciated, as I'm kind of new to it all.

Here's my IPTables file (It runs on startup):

Code:

#!/bin/sh

IPTBL=/sbin/iptables # Where is IPTables

$IPTBL -F # Flush All Rules

# Hard-Coded Default Policies
$IPTBL -P OUTPUT ACCEPT
$IPTBL -P INPUT DROP
$IPTBL -P FORWARD DROP

# Loopback Traffic Controller
$IPTBL -A INPUT --in-interface lo -j ACCEPT

# Allowed Inputs
$IPTBL -A INPUT -p tcp --dport 80 -j ACCEPT # Allow Apache connections originating from anywhere.
$IPTBL -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT # Allow SSH internally.
$IPTBL -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT # Allow SSH from internet.

# Allow Esblashed connections and routing/NAT
$IPTBL -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # Enable NAT.
$IPTBL -A FORWARD -i eth0 -o ppp0 -j ACCEPT # Allow packets generating from inside to outside
$IPTBL -A FORWARD -i ppp0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow established connections back in.

# HERE IS MY CONFIGS FOR THE WAN HTTP/TELNET SERVER.
# --------
$IPTBL -t nat -A POSTROUTING -o eth1 -j MASQUERADE # Allow WAN WGUI to think the local machine is initiating requests.
$IPTBL -A FORWARD -i eth1 -o eth0 -j ACCEPT # Allow connections from WAN card to LAN.
$IPTBL -A FORWARD -i eth0 -o eth1 -j ACCEPT # Allow LAN communication to WAN Card.
# --------

[ss81]

Hi,
Could do post the result of "traceroute" to the ip 12.0.0.1 from your laptop and from the Modem. Also in the modem do a "route -n" and post the output.

--Regards,
Sumit.

[Slyke]

Hey ss81

Thanks for your reply!

I had a feeling it was this and checked myself, but it seems fine... I think.

Here's the output:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
12.0.0.0        0.0.0.0         255.255.255.252 U     0      0        0 eth1
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 eth0
0.0.0.0         10.0.0.1        0.0.0.0         UG    100    0        0 eth0

[ss81]

Here's the output:
[CODE]Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
12.0.0.0 0.0.0.0 255.255.255.252 U 0 0 0 eth1
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
0.0.0.0 10.0.0.1 0.0.0.0 UG 100 0 0 eth0

Hi Slyke,
Ping the ip 12.0.0.1 from your laptop and at the same time run "tcpdump -n -i eth1 icmp" in your linux box(modem) and see whether any ICMP packets is reaching the eth1 (12.0.0.2) interface if the Linux box.

[Lazydog]

Do you have forwarding turned on on the linux box?