Newbie Question - Redirect traffic to internal Web server

All of lore.kernel.org
 help / color / mirror / Atom feed

* Newbie Question - Redirect traffic to internal Web server
@ 2002-10-17 19:24 Flávio Brito
  2002-10-17 20:52 ` Antony Stone
  0 siblings, 1 reply; 6+ messages in thread
From: Flávio Brito @ 2002-10-17 19:24 UTC (permalink / raw)
  To: netfilter

Dear List

I have two servers in my net,one with a valid IP. I want to redirect all
the HTTP Traffic(external -> internal) to my internal Web server I'm
trying to learn iptables, but when I test my rules, sometimes when I try
to erase them it appears not do what I want.

Questions
1)
I use it to erase my rules. But sometimes without sucess. Bug? 
#erasing rules 
iptables -F
iptables -F -t nat
iptables -X
iptables -X -t nat
iptables -Z 
iptables -Z  -t nat

2)To redirect the traffic to my internal server I must have a DNS in my
FW server?  or only redirect?

      	[FW]-eth0-> [200.179.213.245]------> Internet
	|
	|
	|eth1 ->[192.168.1.1]
	| ---------------> [Web Server ] 192.168.1.33
	|----------------> [LAN Hosts] [192.168.1.2 to 192.168.1.100]

eth0-> 200.179.213.245
eth1-> 192.168.1.1

Can someone help me with this rules?

iptables -t nat -A POSTROUTING -s 192.168.1.10/24 -d any/0 -j MASQUERADE
iptables -A INPUT -p tcp -s 192.168.1.33 -d 0/0 --dport www -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.33 -d 0/0 --dport www -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d 0/0 --dport www -j REDIRECT
--to-port 80

Thanks 

Flávio 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Newbie Question - Redirect traffic to internal Web server
  2002-10-17 19:24 Newbie Question - Redirect traffic to internal Web server Flávio Brito
@ 2002-10-17 20:52 ` Antony Stone
  2002-10-17 21:18   ` Aldo S. Lagana
  0 siblings, 1 reply; 6+ messages in thread
From: Antony Stone @ 2002-10-17 20:52 UTC (permalink / raw)
  To: netfilter

On Thursday 17 October 2002 8:24 pm, Flávio Brito wrote:

> Dear List
>
> I have two servers in my net,one with a valid IP. I want to redirect all
> the HTTP Traffic(external -> internal) to my internal Web server I'm
> trying to learn iptables, but when I test my rules, sometimes when I try
> to erase them it appears not do what I want.

What makes you think that clearing the rules is not working properly ?

> Questions
> 1) I use it to erase my rules. But sometimes without sucess. Bug?
> #erasing rules
> iptables -F

This will flush (erase) all the rules in the filter table of all your chains.

> iptables -F -t nat

This will flush all the rules in the nat table of all your chains.

After these two commands you should not have any rules left in your system 
(unless you created any in the mangle table, which is unlikely....)

> iptables -X

This will delete all your user-defined chains.

> iptables -X -t nat

This command is not necessary.

> iptables -Z

This will zero the byte and packet counters in all chains.   You may want to 
do this, but it is nothing to do with clearing the rules.

> iptables -Z  -t nat

This will zero the counters in the nat tables.   Again this is nothing to do 
with clearing the rules.

> 2) To redirect the traffic to my internal server I must have a DNS in my
> FW server?  or only redirect?

DNS is irrelevant as far as redirecting packets is concerned.   If DNS works 
on your internal network as it is, nothing needs to be changed.   Remember 
that netfilter works on IP addresses, not hostnames, therefore there are no 
DNS lookups required.

>       	[FW]-eth0-> [200.179.213.245]------> Internet
>
> 	|eth1 ->[192.168.1.1]
> 	| ---------------> [Web Server ] 192.168.1.33
> 	|----------------> [LAN Hosts] [192.168.1.2 to 192.168.1.100]
>
> eth0-> 200.179.213.245
> eth1-> 192.168.1.1
>
> Can someone help me with this rules?
>
> iptables -t nat -A POSTROUTING -s 192.168.1.10/24 -d any/0 -j MASQUERADE

Remove the "-d any/0".   It is redundant and reduces legibility.   This rule 
will source translate all outgoing packets from your network to the Internet 
to have the external address of your firewall (so that replies can come back).

> iptables -A INPUT -p tcp -s 192.168.1.33 -d 0/0 --dport www -j ACCEPT
> iptables -A OUTPUT -p tcp -s 192.168.1.33 -d 0/0 --dport www -j ACCEPT

You should not be using the INPUT & OUTPUT chains.   These are only for 
packets addressed to the firewall itself, or generated on the firewall, 
respectively.

Instead you should use the FORWARD chain for packets going *through* your 
firewall:

iptables -A FORWARD -p tcp --dport 80 -d 192.168.1.33 -j ACCEPT

(Note also the -d instead of -s : you want to allow packets going *to* the 
web server, therefore it is the destination).

> iptables -A PREROUTING -t nat -p tcp -d 0/0 --dport www -j REDIRECT
> --to-port 80

REDIRECT is only for packets terminating on the firewall machine itself.   
Try this instead:

iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j SNAT --to 
192.168.1.33

Note I have added a "-i eth0" so that this rule applies only to packet coming 
in via your external interface - otherwise all web requests from your 
internal network to the Internet would get redirected to your internal server 
as well (and that wouldn't work properly for other reasons I won't go into 
now).

Finally you should have a default policy on your INPUT and FORWARD chains:

iptables -P INPUT DROP
iptables -P FORWARD DROP

and you want to allow reply packets to go through your firewall as well:

iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

See how that works out :-)

Antony.

-- 

This is not a rehearsal.
This is Real Life.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: Newbie Question - Redirect traffic to internal Web server
  2002-10-17 20:52 ` Antony Stone
@ 2002-10-17 21:18   ` Aldo S. Lagana
  2002-10-17 21:27     ` Antony Stone
  0 siblings, 1 reply; 6+ messages in thread
From: Aldo S. Lagana @ 2002-10-17 21:18 UTC (permalink / raw)
  To: 'Antony Stone', netfilter



Antony, I am not very familiar with the use of SNAT for incoming web
connections; I use DNAT for my web servers.  Is there any difference?

> 
> On Thursday 17 October 2002 8:24 pm, Flávio Brito wrote:
> 
> > Dear List
> >
> > I have two servers in my net,one with a valid IP. I want to 
> redirect 
> > all the HTTP Traffic(external -> internal) to my internal 
> Web server 
> > I'm trying to learn iptables, but when I test my rules, 
> sometimes when 
> > I try to erase them it appears not do what I want.
> 
> 
> >       	[FW]-eth0-> [200.179.213.245]------> Internet
> >
> > 	|eth1 ->[192.168.1.1]
> > 	| ---------------> [Web Server ] 192.168.1.33
> > 	|----------------> [LAN Hosts] [192.168.1.2 to 192.168.1.100]
> >
> > eth0-> 200.179.213.245
> > eth1-> 192.168.1.1
> >
> > Can someone help me with this rules?
> >
> > iptables -t nat -A POSTROUTING -s 192.168.1.10/24 -d any/0 -j 
> > MASQUERADE
> 
> Remove the "-d any/0".   It is redundant and reduces 
> legibility.   This rule 
> will source translate all outgoing packets from your network 
> to the Internet 
> to have the external address of your firewall (so that 
> replies can come back).
> 
> > iptables -A INPUT -p tcp -s 192.168.1.33 -d 0/0 --dport www 
> -j ACCEPT 
> > iptables -A OUTPUT -p tcp -s 192.168.1.33 -d 0/0 --dport 
> www -j ACCEPT
> 
> You should not be using the INPUT & OUTPUT chains.   These 
> are only for 
> packets addressed to the firewall itself, or generated on the 
> firewall, 
> respectively.
> 
> Instead you should use the FORWARD chain for packets going 
> *through* your 
> firewall:
> 
> iptables -A FORWARD -p tcp --dport 80 -d 192.168.1.33 -j ACCEPT
> 
> (Note also the -d instead of -s : you want to allow packets 
> going *to* the 
> web server, therefore it is the destination).
> 
> > iptables -A PREROUTING -t nat -p tcp -d 0/0 --dport www -j REDIRECT 
> > --to-port 80
> 
> REDIRECT is only for packets terminating on the firewall 
> machine itself.   
> Try this instead:
> 
> iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j SNAT --to 
> 192.168.1.33

for this I would:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -d
200.179.213.245 -j DNAT --to 192.168.1.33
along with the appropriate FORWARD rule.

I was again wondering if I was doing things wrong?  It seems that if you
SNAT, then your WEB server won't know the client's IP address that was
accessing - all accesses would appear to be coming from the firewall.





^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Newbie Question - Redirect traffic to internal Web server
  2002-10-17 21:18   ` Aldo S. Lagana
@ 2002-10-17 21:27     ` Antony Stone
  2002-10-17 22:34       ` Newbie Question - starting iptables as a service Mario Antonio
  0 siblings, 1 reply; 6+ messages in thread
From: Antony Stone @ 2002-10-17 21:27 UTC (permalink / raw)
  To: netfilter

On Thursday 17 October 2002 10:18 pm, Aldo S. Lagana wrote:

> Antony, I am not very familiar with the use of SNAT for incoming web
> connections; I use DNAT for my web servers.  Is there any difference?

They are totally different, and I made a mistake in my suggested rule.

SNAT means Source Network Address Translation.

DNAT means Destination Network Address Translation.

SNAT changes the Source IP Address of packets; DNAT changes the Destination 
IP Address.

You need to use the correct one depending on whether you want to change the 
source address (ie where the reply is going to come back to) or the 
destination address (ie where this packet itself is going).

If I understood your original question correctly, you want to change packets 
coming in from the Internet to the external IP address of your firewall and 
send them instead to your internal web server ?

If that is correct, you need to change the destination address of the 
incoming packets so that instead of stopping on your firewall, they get 
passed on to your internal web server, hence you need to use a DNAT rule.   
Simply change the S for a D in the rule I posted earlier and it will be 
correct :-)

Antony.

-- 

Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Newbie Question - starting iptables as a service
  2002-10-17 21:27     ` Antony Stone
@ 2002-10-17 22:34       ` Mario Antonio
       [not found]         ` <001701c277c7$8a675420$4101a8c0@ramasamy>
  0 siblings, 1 reply; 6+ messages in thread
From: Mario Antonio @ 2002-10-17 22:34 UTC (permalink / raw)
  To: netfilter

Hi,

I install iptables v1.2.7a, and I uninstall the old version through rpm -e
iptables.
It seems that it trashed my init.d/iptables script

How can I start iptables as a service (linux 7.3)?

How can I make iptables to reload the rules?

Regards

---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]

^ permalink raw reply	[flat|nested] 6+ messages in thread

[parent not found: <001701c277c7$8a675420$4101a8c0@ramasamy>]

* Re: Newbie Question - starting iptables as a service
       [not found]         ` <001701c277c7$8a675420$4101a8c0@ramasamy>
@ 2002-10-19 23:53           ` Mario Antonio
  0 siblings, 0 replies; 6+ messages in thread
From: Mario Antonio @ 2002-10-19 23:53 UTC (permalink / raw)
  To: netfilter

Sundaram,

Thank you very much.

Mario

----- Original Message -----
From: "Sundaram" <sun@percipia.com>
To: "Mario Antonio" <dino@webjogger.net>
Sent: Saturday, October 19, 2002 7:30 PM
Subject: Re: Newbie Question - starting iptables as a service


> put your firewall script into /etc/init.d/ directory. Your script should
> accept start, stop  parameters.
>
> Use chkconfig command to add the firewall script as a service.
>
> look some file in the /etc/init.d directory.
> Cheers
> SR.
>
>
>
>
>
>
> ----- Original Message -----
> From: "Mario Antonio" <dino@webjogger.net>
> To: <netfilter@lists.netfilter.org>
> Sent: Thursday, October 17, 2002 6:34 PM
> Subject: Re: Newbie Question - starting iptables as a service
>
>
> > Hi,
> >
> > I install iptables v1.2.7a, and I uninstall the old version through
rpm -e
> > iptables.
> > It seems that it trashed my init.d/iptables script
> >
> >
> > How can I start iptables as a service (linux 7.3)?
> >
> > How can I make iptables to reload the rules?
> >
> >
> > Regards
> >
> > ---
> > [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection
> System]
> >
> >
>
> ---
> [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection
System]
>
>

---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]



^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2002-10-19 23:53 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-17 19:24 Newbie Question - Redirect traffic to internal Web server Flávio Brito
2002-10-17 20:52 ` Antony Stone
2002-10-17 21:18   ` Aldo S. Lagana
2002-10-17 21:27     ` Antony Stone
2002-10-17 22:34       ` Newbie Question - starting iptables as a service Mario Antonio
     [not found]         ` <001701c277c7$8a675420$4101a8c0@ramasamy>
2002-10-19 23:53           ` Mario Antonio

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.