This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: psyche-list@listman.redhat.com From: "Tomas Larsson" <larssontomas@telia.com> Subject: Problem with IPtables Date: Thu, 13 Mar 2003 04:05:23 +0100 Hi group. I have some problems setting up iptables. Background: RH8 box as firewall and router. Second RH8 box as apache server I can reach the www-server from the internal network, but not from internet. My script looks basically like this, what am I missing? $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -I PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 80 -j DNAT --to 192.168.x.x:80 === To: psyche-list@listman.redhat.com From: "jdow" <jdow@earthlink.net> Subject: Re: Problem with IPtables Date: Wed, 12 Mar 2003 19:20:44 -0800 From: "Tomas Larsson" <larssontomas@telia.com> > $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT > $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT > $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it > $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT > $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state > ESTABLISHED,RELATED -j ACCEPT > > > $IPTABLES -t nat -I PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 80 -j DNAT > --to 192.168.x.x:80 Add: echo "1" > /proc/sys/net/ipv4/ip_forward {^_^} === To: psyche-list@listman.redhat.com From: "J. M. Brenner" <doom@kzsu.stanford.edu> Subject: Re: Problem with IPtables Date: Wed, 12 Mar 2003 23:26:38 -0800 "Tomas Larsson" <larssontomas@telia.com> wrote: > I have some problems setting up iptables. > Background: RH8 box as firewall and router. > Second RH8 box as apache server > I can reach the www-server from the internal network, but not from internet. I suggest installing "gShield", and using it to configure iptables. It's essentially a shell script with a heavily commented, easy-to-use configuration file. You fill in the values (like, should HTTP be OPEN or FORWARD?), run the script and it works. I threw it in my /etc/rc.d/rc.local to make it permanent. I wouldn't blame you if you wanted to keep plugging away at understanding how to do it yourself... I blew a week or so trying to understand the current state of linux network admin before I "copped out" and went to gShield. I wish I'd done it sooner. === To: psyche-list@listman.redhat.com From: "Tomas Larsson" <larssontomas@telia.com> Subject: SV: Problem with IPtables Date: Thu, 13 Mar 2003 12:43:47 +0100 > J. M. Brenner wrote: > "Tomas Larsson" <larssontomas@telia.com> wrote: > > > I have some problems setting up iptables. > > Background: RH8 box as firewall and router. > > Second RH8 box as apache server > > I can reach the www-server from the internal network, but not from > > internet. > > I suggest installing "gShield", and using it to configure > iptables. It's essentially a shell script with a heavily > commented, easy-to-use configuration file. You fill in > the values (like, should HTTP be OPEN or FORWARD?), run > the script and it works. I threw it in my > /etc/rc.d/rc.local to make it permanent. > > I wouldn't blame you if you wanted to keep plugging away > at understanding how to do it yourself... I blew a week > or so trying to understand the current state of linux > network admin before I "copped out" and went to gShield. > I wish I'd done it sooner. Thanx. I've obtained gShield. But there is still the same problem. I can ping all machines on internal network with IP or HOST. I can ping external hosts. I can ping my external IP and domain I can connect to Apache from within internal network with internal IP or host I can connect to external web servers. Everything is working Except I cannot connect to apache with domain or external IP When I do a iptables -L -v -n (-t nat) I can see that packets are forwarded to Apache, but nothing more happens. Is there something more and obvious I am missing === To: psyche-list@listman.redhat.com From: "Mike Vanecek" <rh_lists@mm-vanecek.com> Subject: Re: SV: Problem with IPtables Date: Thu, 13 Mar 2003 10:22:42 -0600 On Thu, 13 Mar 2003 12:43:47 +0100, Tomas Larsson wrote > Thanx. > I've obtained gShield. > > But there is still the same problem. > I can ping all machines on internal network with IP or HOST. > I can ping external hosts. > I can ping my external IP and domain > I can connect to Apache from within internal network with internal > IP or host I can connect to external web servers. > > Everything is working > > Except > > I cannot connect to apache with domain or external IP > > When I do a iptables -L -v -n (-t nat) I can see that packets are forwarded > to Apache, but nothing more happens. > > Is there something more and obvious I am missing Put in a -j LOG for port 80 and log all incoming 80 packets (this needs to be before the -J ACCEPT for 80) for the interface that is passing packets to the server. What do the /var/log/httpd/access_log and error_log tell you? You have checked /etc/hosts.deny? Run Apache in debug mode to see that the packets are indeed being routed to Apache? === To: psyche-list@listman.redhat.com From: Jack Bowling <jbinpg@shaw.ca> Subject: Re: SV: Problem with IPtables Date: Thu, 13 Mar 2003 08:25:52 -0800 ** Reply to message from Tomas Larsson <larssontomas@telia.com> on Thu, 13 Mar 2003 12:43:47 +0100 > Thanx. > I've obtained gShield. > > But there is still the same problem. > I can ping all machines on internal network with IP or HOST. > I can ping external hosts. > I can ping my external IP and domain > I can connect to Apache from within internal network with internal IP or > host > I can connect to external web servers. > > Everything is working > > Except > > I cannot connect to apache with domain or external IP What is your default FORWARD policy? If it is DROP then you need to specifically allow packets both ways. /sbin/iptables -L -v -n | grep FORWARD === To: psyche-list@listman.redhat.com From: "Tomas Larsson" <larssontomas@telia.com> Subject: SV: SV: Problem with Iptables// SOLVED Date: Thu, 13 Mar 2003 18:00:35 +0100 My apologies to all of you. It actually works, I didn't look in the HTTPD-logs until now, and yes it works. It is my own fault totally. Previously I had the server on the same box as the firewall, but since I need some bandwidth limiting, the only way of doing it was to move the server to a different box and shape that box. Now, previously when I accessed the server from within the internal network, I've just typed the external IP or domain name, and off it went. But now I cant access the server that way, only by its internal IP or Host name. But from outside there is full access as it should be. Tested with a normal dial-up and it worked OK. But thanks anyway for your patience with a stupid not-thinking Viking. ===