Linux IPTables / routing issue

Posted by Jon on Server Fault See other posts from Server Fault or by Jon
Published on 2010-02-28T23:10:31Z Indexed on 2010/03/08 20:51 UTC
Read the original article Hit count: 410

Filed under:

Hi all,

EDIT 1/3/10 22:00 GMT - rewrote some of it after further investigation

It has been a while since I looked at IPtables and I seem to be worse than before as I can not seem to get my webserver online. Below is my firewall rules on the gateway server that is running the dhcp server accessing the net. The webserver is inside my network on a static IP (, default port).

When I use Nmap or I see that port 80 is open on the gateway server but when I browse to it, (via public URL. it always fails with a connection error, (nmap cannot connect and figure out what the web server is either).

I can nmap the webserver and browse to it just fine via same IP inside my network. I believe it is my IPTable rules that are not letting it through.

Internally I can route all my requests. Each machine can browse to the website and traffic works just fine. I can MSTSC / ssh to all the webservers internally and they inturn can connect to the web.


*EDIT - Added new firewall rules 2/3/10 *




load () {

  $depmod -a

  $modprobe ip_tables
  $modprobe ip_conntrack
  $modprobe ip_conntrack_ftp
  $modprobe ip_conntrack_irc
  $modprobe iptable_nat
  $modprobe ip_nat_ftp

echo "enable forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "enable dynamic addr"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# start firewall

  # default policies
  $iptables -P INPUT DROP
  $iptables -F INPUT
  $iptables -P OUTPUT DROP
  $iptables -F OUTPUT
  $iptables -P FORWARD DROP
  $iptables -F FORWARD
  $iptables -t nat -F

#echo "   Opening loopback interface for socket based services."
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

#echo "   Allow all connections OUT and only existing and related ones IN"
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -o $EXTIF -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$iptables -A FORWARD -j LOG  --log-level 7 --log-prefix "Dropped by firewall: "

$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

#echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A OUTPUT -o $INTIF -j ACCEPT

#echo "   Allowing packets with ICMP data (i.e. ping)."
$iptables -A INPUT -p icmp -j ACCEPT
$iptables -A OUTPUT -p icmp -j ACCEPT

$iptables -A INPUT -p udp -i $INTIF --dport 67 -m state --state NEW -j ACCEPT

#echo "   Port 137 is for NetBIOS."
$iptables -A INPUT -i $INTIF -p udp --dport 137 -j ACCEPT
$iptables -A OUTPUT -o $INTIF -p udp --dport 137 -j ACCEPT

#echo "   Opening port 53 for DNS queries."
$iptables -A INPUT -p udp -i $EXTIF --sport 53 -j ACCEPT

#echo "   opening Apache webserver"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to
$iptables -A FORWARD -p tcp -m state --state NEW -d --dport 80 -j ACCEPT


flush () {

   echo "flushing rules..." $iptables -P FORWARD ACCEPT
   $iptables -F INPUT
   $iptables -P INPUT ACCEPT
   echo "rules flushed"


case "$1" in

    echo "usage: start|stop|restart."

exit 0

route info:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface *      UH    0      0        0 eth2     *        U     0      0        0 eth1
default         UG    100    0        0 eth2


eth1      Link encap:Ethernet  HWaddr 00:22:b0:cf:4a:1c
      inet addr:  Bcast:  Mask:
      inet6 addr: fe80::222:b0ff:fecf:4a1c/64 Scope:Link
      RX packets:79023 errors:0 dropped:0 overruns:0 frame:0
      TX packets:57786 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:11580918 (11.5 MB)  TX bytes:22872030 (22.8 MB)
      Interrupt:17 Base address:0x2b00

eth2      Link encap:Ethernet  HWaddr 00:0c:f1:7c:45:5b
      inet addr:  Bcast:  Mask:
      inet6 addr: fe80::20c:f1ff:fe7c:455b/64 Scope:Link
      RX packets:57038 errors:0 dropped:0 overruns:0 frame:0
      TX packets:34532 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:21631721 (21.6 MB)  TX bytes:7685444 (7.6 MB)

lo        Link encap:Local Loopback
      inet addr:  Mask:
      inet6 addr: ::1/128 Scope:Host
      UP LOOPBACK RUNNING  MTU:16436  Metric:1
      RX packets:16 errors:0 dropped:0 overruns:0 frame:0
      TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:1517 (1.5 KB)  TX bytes:1517 (1.5 KB)


OK so as requested I will try and expand on my infrastructure:

I previously had it setup with a Sky broadband modem router that did the DHCP and I used its web interface to port forward the web across to the web server. The network looked something like this:

Layout Graphic

I have now replaced the sky modem with a dlink modem which gives the IP to the gateway server that now does the DHCP. It looks like:

Layout Graphic

The internet connection is a standard broadband connection with a dynamic IP, (use to keep it updated).

I have tried it on each of the webservers(one Ubuntu Apache server and one WS2008 IIS7).

I think there must also be an issue with my IPTable rules as it can route to my win7 box which has the default IIS7 page and that would not display when I forwarded all port 80 to it.

I would be really grateful for any and all help with this.



© Server Fault or respective owner

Related posts about ip-routing

Related posts about iptables