Newbie Question - Redirect traffic to internal Web server

Newbie Question - Redirect traffic to internal Web server

[Flávio Brito]

Dear List

I have two servers in my net,one with a valid IP. I want to redirect all
the HTTP Traffic(external -> internal) to my internal Web server I'm
trying to learn iptables, but when I test my rules, sometimes when I try
to erase them it appears not do what I want.

Questions
1)
I use it to erase my rules. But sometimes without sucess. Bug? 
#erasing rules 
iptables -F
iptables -F -t nat
iptables -X
iptables -X -t nat
iptables -Z 
iptables -Z  -t nat

2)To redirect the traffic to my internal server I must have a DNS in my
FW server?  or only redirect?


      	[FW]-eth0-> [200.179.213.245]------> Internet
	|
	|
	|eth1 ->[192.168.1.1]
	| ---------------> [Web Server ] 192.168.1.33
	|----------------> [LAN Hosts] [192.168.1.2 to 192.168.1.100]

eth0-> 200.179.213.245
eth1-> 192.168.1.1

Can someone help me with this rules?

iptables -t nat -A POSTROUTING -s 192.168.1.10/24 -d any/0 -j MASQUERADE
iptables -A INPUT -p tcp -s 192.168.1.33 -d 0/0 --dport www -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.33 -d 0/0 --dport www -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d 0/0 --dport www -j REDIRECT
--to-port 80

Thanks 

Flávio 

Re: Newbie Question - Redirect traffic to internal Web server

[Antony Stone]

On Thursday 17 October 2002 8:24 pm, Flávio Brito wrote:

> Dear List
>
> I have two servers in my net,one with a valid IP. I want to redirect all
> the HTTP Traffic(external -> internal) to my internal Web server I'm
> trying to learn iptables, but when I test my rules, sometimes when I try
> to erase them it appears not do what I want.

What makes you think that clearing the rules is not working properly ?

> Questions
> 1) I use it to erase my rules. But sometimes without sucess. Bug?
> #erasing rules
> iptables -F

This will flush (erase) all the rules in the filter table of all your chains.

> iptables -F -t nat

This will flush all the rules in the nat table of all your chains.

After these two commands you should not have any rules left in your system 
(unless you created any in the mangle table, which is unlikely....)

> iptables -X

This will delete all your user-defined chains.

> iptables -X -t nat

This command is not necessary.

> iptables -Z

This will zero the byte and packet counters in all chains.   You may want to 
do this, but it is nothing to do with clearing the rules.

> iptables -Z  -t nat

This will zero the counters in the nat tables.   Again this is nothing to do 
with clearing the rules.

> 2) To redirect the traffic to my internal server I must have a DNS in my
> FW server?  or only redirect?

DNS is irrelevant as far as redirecting packets is concerned.   If DNS works 
on your internal network as it is, nothing needs to be changed.   Remember 
that netfilter works on IP addresses, not hostnames, therefore there are no 
DNS lookups required.

>       	[FW]-eth0-> [200.179.213.245]------> Internet
>
> 	|eth1 ->[192.168.1.1]
> 	| ---------------> [Web Server ] 192.168.1.33
> 	|----------------> [LAN Hosts] [192.168.1.2 to 192.168.1.100]
>
> eth0-> 200.179.213.245
> eth1-> 192.168.1.1
>
> Can someone help me with this rules?
>
> iptables -t nat -A POSTROUTING -s 192.168.1.10/24 -d any/0 -j MASQUERADE

Remove the "-d any/0".   It is redundant and reduces legibility.   This rule 
will source translate all outgoing packets from your network to the Internet 
to have the external address of your firewall (so that replies can come back).

> iptables -A INPUT -p tcp -s 192.168.1.33 -d 0/0 --dport www -j ACCEPT
> iptables -A OUTPUT -p tcp -s 192.168.1.33 -d 0/0 --dport www -j ACCEPT

You should not be using the INPUT & OUTPUT chains.   These are only for 
packets addressed to the firewall itself, or generated on the firewall, 
respectively.

Instead you should use the FORWARD chain for packets going *through* your 
firewall:

iptables -A FORWARD -p tcp --dport 80 -d 192.168.1.33 -j ACCEPT

(Note also the -d instead of -s : you want to allow packets going *to* the 
web server, therefore it is the destination).

> iptables -A PREROUTING -t nat -p tcp -d 0/0 --dport www -j REDIRECT
> --to-port 80

REDIRECT is only for packets terminating on the firewall machine itself.   
Try this instead:

iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j SNAT --to 
192.168.1.33

Note I have added a "-i eth0" so that this rule applies only to packet coming 
in via your external interface - otherwise all web requests from your 
internal network to the Internet would get redirected to your internal server 
as well (and that wouldn't work properly for other reasons I won't go into 
now).

Finally you should have a default policy on your INPUT and FORWARD chains:

iptables -P INPUT DROP
iptables -P FORWARD DROP

and you want to allow reply packets to go through your firewall as well:

iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

See how that works out :-)

Antony.

-- 

This is not a rehearsal.
This is Real Life.

RE: Newbie Question - Redirect traffic to internal Web server

[Aldo S. Lagana]

Antony, I am not very familiar with the use of SNAT for incoming web
connections; I use DNAT for my web servers.  Is there any difference?

> 
> On Thursday 17 October 2002 8:24 pm, Flávio Brito wrote:
> 
> > Dear List
> >
> > I have two servers in my net,one with a valid IP. I want to 
> redirect 
> > all the HTTP Traffic(external -> internal) to my internal 
> Web server 
> > I'm trying to learn iptables, but when I test my rules, 
> sometimes when 
> > I try to erase them it appears not do what I want.
> 
> 
> >       	[FW]-eth0-> [200.179.213.245]------> Internet
> >
> > 	|eth1 ->[192.168.1.1]
> > 	| ---------------> [Web Server ] 192.168.1.33
> > 	|----------------> [LAN Hosts] [192.168.1.2 to 192.168.1.100]
> >
> > eth0-> 200.179.213.245
> > eth1-> 192.168.1.1
> >
> > Can someone help me with this rules?
> >
> > iptables -t nat -A POSTROUTING -s 192.168.1.10/24 -d any/0 -j 
> > MASQUERADE
> 
> Remove the "-d any/0".   It is redundant and reduces 
> legibility.   This rule 
> will source translate all outgoing packets from your network 
> to the Internet 
> to have the external address of your firewall (so that 
> replies can come back).
> 
> > iptables -A INPUT -p tcp -s 192.168.1.33 -d 0/0 --dport www 
> -j ACCEPT 
> > iptables -A OUTPUT -p tcp -s 192.168.1.33 -d 0/0 --dport 
> www -j ACCEPT
> 
> You should not be using the INPUT & OUTPUT chains.   These 
> are only for 
> packets addressed to the firewall itself, or generated on the 
> firewall, 
> respectively.
> 
> Instead you should use the FORWARD chain for packets going 
> *through* your 
> firewall:
> 
> iptables -A FORWARD -p tcp --dport 80 -d 192.168.1.33 -j ACCEPT
> 
> (Note also the -d instead of -s : you want to allow packets 
> going *to* the 
> web server, therefore it is the destination).
> 
> > iptables -A PREROUTING -t nat -p tcp -d 0/0 --dport www -j REDIRECT 
> > --to-port 80
> 
> REDIRECT is only for packets terminating on the firewall 
> machine itself.   
> Try this instead:
> 
> iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j SNAT --to 
> 192.168.1.33

for this I would:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -d
200.179.213.245 -j DNAT --to 192.168.1.33
along with the appropriate FORWARD rule.

I was again wondering if I was doing things wrong?  It seems that if you
SNAT, then your WEB server won't know the client's IP address that was
accessing - all accesses would appear to be coming from the firewall.

Re: Newbie Question - Redirect traffic to internal Web server

[Antony Stone]

On Thursday 17 October 2002 10:18 pm, Aldo S. Lagana wrote:

> Antony, I am not very familiar with the use of SNAT for incoming web
> connections; I use DNAT for my web servers.  Is there any difference?

They are totally different, and I made a mistake in my suggested rule.

SNAT means Source Network Address Translation.

DNAT means Destination Network Address Translation.

SNAT changes the Source IP Address of packets; DNAT changes the Destination 
IP Address.

You need to use the correct one depending on whether you want to change the 
source address (ie where the reply is going to come back to) or the 
destination address (ie where this packet itself is going).

If I understood your original question correctly, you want to change packets 
coming in from the Internet to the external IP address of your firewall and 
send them instead to your internal web server ?

If that is correct, you need to change the destination address of the 
incoming packets so that instead of stopping on your firewall, they get 
passed on to your internal web server, hence you need to use a DNAT rule.   
Simply change the S for a D in the rule I posted earlier and it will be 
correct :-)

Antony.

-- 

Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

Re: Newbie Question - starting iptables as a service

[Mario Antonio]

Hi,

I install iptables v1.2.7a, and I uninstall the old version through rpm -e
iptables.
It seems that it trashed my init.d/iptables script


How can I start iptables as a service (linux 7.3)?

How can I make iptables to reload the rules?


Regards

---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]

Re: Newbie Question - starting iptables as a service

[Mario Antonio]

Sundaram,

Thank you very much.

Mario

----- Original Message -----
From: "Sundaram" <sun@percipia.com>
To: "Mario Antonio" <dino@webjogger.net>
Sent: Saturday, October 19, 2002 7:30 PM
Subject: Re: Newbie Question - starting iptables as a service


> put your firewall script into /etc/init.d/ directory. Your script should
> accept start, stop  parameters.
>
> Use chkconfig command to add the firewall script as a service.
>
> look some file in the /etc/init.d directory.
> Cheers
> SR.
>
>
>
>
>
>
> ----- Original Message -----
> From: "Mario Antonio" <dino@webjogger.net>
> To: <netfilter@lists.netfilter.org>
> Sent: Thursday, October 17, 2002 6:34 PM
> Subject: Re: Newbie Question - starting iptables as a service
>
>
> > Hi,
> >
> > I install iptables v1.2.7a, and I uninstall the old version through
rpm -e
> > iptables.
> > It seems that it trashed my init.d/iptables script
> >
> >
> > How can I start iptables as a service (linux 7.3)?
> >
> > How can I make iptables to reload the rules?
> >
> >
> > Regards
> >
> > ---
> > [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection
> System]
> >
> >
>
> ---
> [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection
System]
>
>

---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]