Linux IPTables / routing issue
Posted
by Jon
on Server Fault
See other posts from Server Fault
or by Jon
Published on 2010-02-28T23:10:31Z
Indexed on
2010/03/08
20:51 UTC
Read the original article
Hit count: 609
Hi all,
EDIT 1/3/10 22:00 GMT - rewrote some of it after further investigation
It has been a while since I looked at IPtables and I seem to be worse than before as I can not seem to get my webserver online. Below is my firewall rules on the gateway server that is running the dhcp server accessing the net. The webserver is inside my network on a static IP (192.168.0.98, default port).
When I use Nmap or GRC.com I see that port 80 is open on the gateway server but when I browse to it, (via public URL. http://www.houseofhawkins.com) it always fails with a connection error, (nmap cannot connect and figure out what the web server is either).
I can nmap the webserver and browse to it just fine via same IP inside my network. I believe it is my IPTable rules that are not letting it through.
Internally I can route all my requests. Each machine can browse to the website and traffic works just fine. I can MSTSC / ssh to all the webservers internally and they inturn can connect to the web.
IPTABLE:
*EDIT - Added new firewall rules 2/3/10 *
#!/bin/sh
iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
depmod="/sbin/depmod"
EXTIF="eth2"
INTIF="eth1"
load () {
$depmod -a
$modprobe ip_tables
$modprobe ip_conntrack
$modprobe ip_conntrack_ftp
$modprobe ip_conntrack_irc
$modprobe iptable_nat
$modprobe ip_nat_ftp
echo "enable forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "enable dynamic addr"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# start firewall
# default policies
$iptables -P INPUT DROP
$iptables -F INPUT
$iptables -P OUTPUT DROP
$iptables -F OUTPUT
$iptables -P FORWARD DROP
$iptables -F FORWARD
$iptables -t nat -F
#echo " Opening loopback interface for socket based services."
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
#echo " Allow all connections OUT and only existing and related ones IN"
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -o $EXTIF -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$iptables -A FORWARD -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
#echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A OUTPUT -o $INTIF -j ACCEPT
#echo " Allowing packets with ICMP data (i.e. ping)."
$iptables -A INPUT -p icmp -j ACCEPT
$iptables -A OUTPUT -p icmp -j ACCEPT
$iptables -A INPUT -p udp -i $INTIF --dport 67 -m state --state NEW -j ACCEPT
#echo " Port 137 is for NetBIOS."
$iptables -A INPUT -i $INTIF -p udp --dport 137 -j ACCEPT
$iptables -A OUTPUT -o $INTIF -p udp --dport 137 -j ACCEPT
#echo " Opening port 53 for DNS queries."
$iptables -A INPUT -p udp -i $EXTIF --sport 53 -j ACCEPT
#echo " opening Apache webserver"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.0.96:80
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.0.96 --dport 80 -j ACCEPT
}
flush () {
echo "flushing rules..." $iptables -P FORWARD ACCEPT
$iptables -F INPUT
$iptables -P INPUT ACCEPT
echo "rules flushed"
}
case "$1" in
start|restart)
flush
load
;;
stop)
flush
;;
*)
echo "usage: start|stop|restart."
;;
esac
exit 0
route info:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
5e0412a6.bb.sky * 255.255.255.255 UH 0 0 0 eth2
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
default 5e0412a6.bb.sky 0.0.0.0 UG 100 0 0 eth2
ifconfig:
eth1 Link encap:Ethernet HWaddr 00:22:b0:cf:4a:1c
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::222:b0ff:fecf:4a1c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:79023 errors:0 dropped:0 overruns:0 frame:0
TX packets:57786 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11580918 (11.5 MB) TX bytes:22872030 (22.8 MB)
Interrupt:17 Base address:0x2b00
eth2 Link encap:Ethernet HWaddr 00:0c:f1:7c:45:5b
inet addr:94.4.18.166 Bcast:94.4.18.166 Mask:255.255.255.255
inet6 addr: fe80::20c:f1ff:fe7c:455b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:57038 errors:0 dropped:0 overruns:0 frame:0
TX packets:34532 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21631721 (21.6 MB) TX bytes:7685444 (7.6 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1517 (1.5 KB) TX bytes:1517 (1.5 KB)
EDIT
OK so as requested I will try and expand on my infrastructure:
I previously had it setup with a Sky broadband modem router that did the DHCP and I used its web interface to port forward the web across to the web server. The network looked something like this:
I have now replaced the sky modem with a dlink modem which gives the IP to the gateway server that now does the DHCP. It looks like:
The internet connection is a standard broadband connection with a dynamic IP, (use zoneedit.com to keep it updated).
I have tried it on each of the webservers(one Ubuntu Apache server and one WS2008 IIS7).
I think there must also be an issue with my IPTable rules as it can route to my win7 box which has the default IIS7 page and that would not display when I forwarded all port 80 to it.
I would be really grateful for any and all help with this.
Thanks
Jon
© Server Fault or respective owner
