|
I have been trying to forward port 80 requests to a
second machine, the firewall machine runs Redhat 7.2, with the default kernel
which I think is 2.4.10. It contains two network interfaces, eth0 which is
assigned a routable internet address, and eth1 which is assigned an internal
non-routable address. I have confirmed that the firewall is accepting port 80
requests on the external interface, as I can successfully run Apache on it
without any the firewall running. After the iptables script has been executed
port 80 request are not returned at all indicating that the request went
somewhere. Could someone please assist, as I have read the howtos, manuals and
Robert Zielgler's latest edition of 'Linux Firewalls', but I'm getting nowhere.
I have included the entire script below, any assistance would be greatly
appreciated.
Thanks,
Scott
#!/bin/sh
IPTABLES="iptables" #Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels using iptables # # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules # are shown below but are commented out from loading. # Needed to initially load
modules
# /sbin/depmod -a # Supports the proper
masquerading of FTP file transfers using the PORT method
# #/sbin/modprobe ip_masq_ftp # Supports the masquerading of
RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # #/sbin/modprobe ip_masq_raudio # Supports the masquerading of IRC DCC
file transfers
# #/sbin/modprobe ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. This modules is # for for multiple users behind the Linux MASQ server. If you are going to play # Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #Quake I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #/sbin/modprobe ip_masq_cuseeme #Supports the masquerading of the VDO ive video
conferencing software
# #/modprobe ip_masq_vdolive #/sbin/modprobe ip_conntrack # /sbin/modprobe ip_tables #/sbin/modprobe iptable_filter #/sbin/modprobe iptable_mangle #/sbin/modprobe iptable_nat #/sbin/modprobe ipt_LOG #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following # option. This enables dynamic-ip address hacking in IP MASQ, making the life # with Diald and similar programs much easier. # #echo "1" > /proc/sys/net/ipv4/ip_dynaddr # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # #$IPTABLES -M -S 7200 10 160 # DHCP: For people who receive their external IP address from either DHCP or BOOTP # such as ADSL or Cablemodem users, it is necessary to use the following # before the deny command. The "bootp_client_net_if_name" should be replaced # the name of the link that the DHCP/BOOTP server will put an address on to? # This will be something like "eth0", "eth1", etc. # # This example is currently commented out. # # #/usr/sbin/iptables -A INPUT -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67 -d 0/0 68 -p udp # Enable simple IP forwarding and
Masquerading
# # NOTE: The following is an example for an internal LAN address in the 192.168.0.x # network with a 255.255.255.0 or a "24" bit subnet mask. # # Please change this network number and subnet mask to match your internal LAN setup # #symbolics EXTERNAL_INTERFACE="eth0" INTERNAL_INTERFACE="eth1" LOOPBACK_INTERFACE="Io" IPADDR="203.89.239.135" IPADDR_INT="192.168.0.81" ANYWHERE="any/0" LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" BROADCAST_SRC="0.0.0.0" BROADCAST_DEST="255.255.255.255" PRIVPORTS="0:1023" UNPRIVPORTS="1024:65535" echo "starting firewall" #Flush existing rules $IPTABLES -F $IPTABLES -t filter -F $IPTABLES -t nat -F $IPTABLES -t filter -X $IPTABLES -t nat -X ################################################################################# # Default chains section # ################################################################################# #Allow all, then selective allows then drop everything else $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT #echo "Enabling PORTFW Redirection on the external LAN.." # # This will forward ALL port 80 traffic from the external IP address # to port 80 on the 192.168.0.60 machine # # PORTFWIP="192.168.0.60" $IPTABLES -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp
--sport 1024:65535 -d $IPADDR --dport 80 -j DNAT --to-destination
$PORTFWIP
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p tcp --sport 1024:65535 -d $PORTFWIP --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT |
- RE: Trying to forward port 80 to an internal server Scott Adamson
- RE: Trying to forward port 80 to an internal server Jean-Robert WIAME
