This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: psyche-list@listman.redhat.com
From: "Tomas Larsson" <larssontomas@telia.com>
Subject: Problem with IPtables
Date: Thu, 13 Mar 2003 04:05:23 +0100
Hi group.
I have some problems setting up iptables.
Background: RH8 box as firewall and router.
Second RH8 box as apache server
I can reach the www-server from the internal network, but not from internet.
My script looks basically like this, what am I missing?
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -I PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 80 -j DNAT
--to 192.168.x.x:80
===
To: psyche-list@listman.redhat.com
From: "jdow" <jdow@earthlink.net>
Subject: Re: Problem with IPtables
Date: Wed, 12 Mar 2003 19:20:44 -0800
From: "Tomas Larsson" <larssontomas@telia.com>
> $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
> $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
> $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
> $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
> $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
>
> $IPTABLES -t nat -I PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 80 -j
DNAT
> --to 192.168.x.x:80
Add:
echo "1" > /proc/sys/net/ipv4/ip_forward
{^_^}
===
To: psyche-list@listman.redhat.com
From: "J. M. Brenner" <doom@kzsu.stanford.edu>
Subject: Re: Problem with IPtables
Date: Wed, 12 Mar 2003 23:26:38 -0800
"Tomas Larsson" <larssontomas@telia.com> wrote:
> I have some problems setting up iptables.
> Background: RH8 box as firewall and router.
> Second RH8 box as apache server
> I can reach the www-server from the internal network, but not from internet.
I suggest installing "gShield", and using it to configure
iptables. It's essentially a shell script with a heavily
commented, easy-to-use configuration file. You fill in
the values (like, should HTTP be OPEN or FORWARD?), run
the script and it works. I threw it in my
/etc/rc.d/rc.local to make it permanent.
I wouldn't blame you if you wanted to keep plugging away
at understanding how to do it yourself... I blew a week
or so trying to understand the current state of linux
network admin before I "copped out" and went to gShield.
I wish I'd done it sooner.
===
To: psyche-list@listman.redhat.com
From: "Tomas Larsson" <larssontomas@telia.com>
Subject: SV: Problem with IPtables
Date: Thu, 13 Mar 2003 12:43:47 +0100
> J. M. Brenner wrote:
> "Tomas Larsson" <larssontomas@telia.com> wrote:
>
> > I have some problems setting up iptables.
> > Background: RH8 box as firewall and router.
> > Second RH8 box as apache server
> > I can reach the www-server from the internal network, but not from
> > internet.
>
> I suggest installing "gShield", and using it to configure
> iptables. It's essentially a shell script with a heavily
> commented, easy-to-use configuration file. You fill in
> the values (like, should HTTP be OPEN or FORWARD?), run
> the script and it works. I threw it in my
> /etc/rc.d/rc.local to make it permanent.
>
> I wouldn't blame you if you wanted to keep plugging away
> at understanding how to do it yourself... I blew a week
> or so trying to understand the current state of linux
> network admin before I "copped out" and went to gShield.
> I wish I'd done it sooner.
Thanx.
I've obtained gShield.
But there is still the same problem.
I can ping all machines on internal network with IP or HOST.
I can ping external hosts.
I can ping my external IP and domain
I can connect to Apache from within internal network with internal IP or
host
I can connect to external web servers.
Everything is working
Except
I cannot connect to apache with domain or external IP
When I do a iptables -L -v -n (-t nat) I can see that packets are forwarded
to Apache, but nothing more happens.
Is there something more and obvious I am missing
===
To: psyche-list@listman.redhat.com
From: "Mike Vanecek" <rh_lists@mm-vanecek.com>
Subject: Re: SV: Problem with IPtables
Date: Thu, 13 Mar 2003 10:22:42 -0600
On Thu, 13 Mar 2003 12:43:47 +0100, Tomas Larsson wrote
> Thanx.
> I've obtained gShield.
>
> But there is still the same problem.
> I can ping all machines on internal network with IP or HOST.
> I can ping external hosts.
> I can ping my external IP and domain
> I can connect to Apache from within internal network with internal
> IP or host I can connect to external web servers.
>
> Everything is working
>
> Except
>
> I cannot connect to apache with domain or external IP
>
> When I do a iptables -L -v -n (-t nat) I can see that packets are forwarded
> to Apache, but nothing more happens.
>
> Is there something more and obvious I am missing
Put in a -j LOG for port 80 and log all incoming 80 packets (this needs to be
before the -J ACCEPT for 80) for the interface that is passing packets to the
server.
What do the /var/log/httpd/access_log and error_log tell you?
You have checked /etc/hosts.deny?
Run Apache in debug mode to see that the packets are indeed being routed to
Apache?
===
To: psyche-list@listman.redhat.com
From: Jack Bowling <jbinpg@shaw.ca>
Subject: Re: SV: Problem with IPtables
Date: Thu, 13 Mar 2003 08:25:52 -0800
** Reply to message from Tomas Larsson <larssontomas@telia.com> on Thu, 13 Mar 2003 12:43:47 +0100
> Thanx.
> I've obtained gShield.
>
> But there is still the same problem.
> I can ping all machines on internal network with IP or HOST.
> I can ping external hosts.
> I can ping my external IP and domain
> I can connect to Apache from within internal network with internal IP or
> host
> I can connect to external web servers.
>
> Everything is working
>
> Except
>
> I cannot connect to apache with domain or external IP
What is your default FORWARD policy? If it is DROP then you need to specifically allow packets both ways.
/sbin/iptables -L -v -n | grep FORWARD
===
To: psyche-list@listman.redhat.com
From: "Tomas Larsson" <larssontomas@telia.com>
Subject: SV: SV: Problem with Iptables// SOLVED
Date: Thu, 13 Mar 2003 18:00:35 +0100
My apologies to all of you.
It actually works, I didn't look in the HTTPD-logs until now, and yes it
works.
It is my own fault totally.
Previously I had the server on the same box as the firewall, but since I
need some bandwidth limiting, the only way of doing it was to move the
server to a different box and shape that box.
Now, previously when I accessed the server from within the internal network,
I've just typed the external IP or domain name, and off it went.
But now I cant access the server that way, only by its internal IP or Host
name.
But from outside there is full access as it should be.
Tested with a normal dial-up and it worked OK.
But thanks anyway for your patience with a stupid not-thinking Viking.
===