Hi Everyone,
I'm trying to allow my users who's connected on my lan to connect to my
internet web server.
My web server and my clients are behind my firewall (netfilter kernel
2.4.9). My firewall preroute any packet to his ip to the local web server ip
( 192.168.1.1 to -> 192.168.1.4 (webserver) ). When my clients try to
access the web server's domain, (which has an internet ip), it says
connection refused, just like if the forwarding was not done adequately when
access the web server from the internet by my users. When I try to access my
domain from the internet ( like from another isp or connection ) it works
perfectly.. I suspect my netfilter rules are not good.. if someone could
help me on this one I would appreciate..
NOTE: my web server, firewall and client workstations are not on the same
machine.
Here's the firewall rules (using iptables 1.2.3) :
#!/bin/sh
# Script FIREWALL
modprobe=/sbin/modprobe
/sbin/depmod -a
$modprobe iptable_nat
$modprobe ip_tables
$modprobe ip_conntrack
$modprobe ip_conntrack_ftp
$modprobe ipt_MASQUERADE
iptables=/sbin/iptables
WEBSERVER_IP=192.168.1.4
WANDEV=eth0
INTDEV=eth1
INTADDRESS=`/sbin/ifconfig $INTDEV | grep "inet addr" | awk '{print $2}' |
cut -c6-20`
INTNETMASK=192.168.1.0/255.255.255.0
WANADDRESS=`/sbin/ifconfig $WANDEV | grep "inet addr" | awk '{print $2}' |
cut -c6-20`
echo "L'addresse interne est : $INTADDRESS et l'addresse internet est :
$WANADDRESS"
#Flush tous les regles
flush() {
echo "Je flush tous les regles"
$iptables -t nat -F PREROUTING
$iptables -t nat -F POSTROUTING
$iptables -t nat -F OUTPUT
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -F FORWARD
}
allow_server_connections() {
# allowing my lan clients to connect to my domain and get redirected to the
local one..
$iptables -t nat -A PREROUTING -s $INTNETMASK --dst
www.mydomain.com --protocol tcp --destination-port 80 -j
DNAT --to-destination $WEBSERVER_IP:80
# allowing pop server connection
$iptables -t nat -A PREROUTING -i $WANDEV -p tcp -d $WANADDRESS --dport
110 -j DNAT --to-destination $WEBSERVER_IP:110
# allowing web server connection
$iptables -t nat -A PREROUTING -i $INTDEV -p tcp -d $WANADDRESS --dport
80 -j DNAT --to-destination $WEBSERVER_IP:80
$iptables -t nat -A PREROUTING -i $WANDEV -p tcp -d $WANADDRESS --dport
80 -j DNAT --to-destination $WEBSERVER_IP:80
# allowing jabber server connection
$iptables -t nat -A PREROUTING -i $WANDEV -p tcp -d $WANADDRESS --dport
5222 -j DNAT --to-destination $WEBSERVER_IP:5222
# allowing clients to ftp to their sites
$iptables -t nat -A PREROUTING -i $WANDEV -p tcp -d $WANADDRESS --dport
21 -j DNAT --to-destination $WEBSERVER_IP:21
}
start() {
# call the flush function.. flushing rules
flush
echo "J'active nat.."
# call the allow... function.. allowing web server connections.. I suspect
this one is wrong
allow_web_server_connections
#Turn NAT on.
$iptables -t nat -A POSTROUTING -s $INTNETMASK -o $WANDEV -j MASQUERADE
echo "Activating ip forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$iptables -A INPUT -i $INTDEV -s 127.0.0.1 -j ACCEPT
$iptables -A FORWARD -i $INTDEV -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j
LOG --log-level 7 --log-prefix "IPT FORWARD packet died:"
}
case "$1" in
start)
start
;;
stop)
flush
;;
*)
echo "Usage firewall start | stop "
exit
esac
exit 0
Thanks in advance!
David Rainville
