From: Antony Stone <Antony@Soft-Solutions.co.uk>
To: Netfilter <netfilter@lists.netfilter.org>
Subject: Re: Home web server using front firewall
Date: Wed, 17 Dec 2003 22:48:49 +0000 [thread overview]
Message-ID: <200312172248.50303.Antony@Soft-Solutions.co.uk> (raw)
In-Reply-To: <HFEBJMKNPOCPPMGFHDMCAEJBCDAA.esanz@minorplanetusa.com>
On Wednesday 17 December 2003 9:30 pm, Erick Sanz wrote:
> Antony,
>
> This are the entries I had to add to make it work:
>
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> iptables -t nat -A PREROUTING -p tcp -d 172.16.1.33 --dport 80 \
> -j DNAT --to 10.10.1.240
>
> iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
>
> iptables -A INPUT -i eth0 -p tcp -d 172.16.1.33 --dport 80 -m state \
> --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A INPUT -i eth1 -p tcp -s 10.10.1.240 --sport 80 -m state \
> --state ESTABLISHED,RELATED -j ACCEPT
Packets being routed through a firewall from one side to the other do not go
through the INPUT chain.
The only packets which go through rules in the INPUT chain are those addressed
to the firewall itself, and not being routed any further.
I do not believe you need the above two rules in the INPUT chain.
> I have read the FAQ on forwarding; however, I can still not understand
> the 3 forwarding statements needed; one of them is for input on eth0
> (172.16.1.33) to 10.10.1.240. The other one is for data received from
> eth1 (10.10.1.240); however, I don't understand the third forward (can't
> be taken out as it won't work then)... I see the difference as -i to
> -o ... Is there a newby explanation on why?
You need to understand the difference between putting a rule in the INPUT
chain (which is for packets addressed to the firewall itself), compared to
specifying -i in a rule in the FORWARD chain (which is for packets being
routed through the firewall, where you want to specify which interface they
entered the machine through).
Here's a suggestion:
Allow your firewall to pass some of the traffic that you want (now that you've
got it working), and then type:
iptables -L -n -v -x
You will see each of the rules in the INPUT, FORWARD and OUTPUT rules, with
byte and packet counts at the beginning.
Any rule which has a zero packet / byte count has not seen any traffic, and is
therefore not contributing to your firewall working.
Hopefully this helps to explain things a bit more so you understand what is
needed and what is not.
Antony.
--
This is not a rehearsal.
This is Real Life.
next prev parent reply other threads:[~2003-12-17 22:48 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-10 19:33 Access to Internal server via public address Vernon A. Fort
2003-12-10 19:45 ` Antony Stone
2003-12-10 20:16 ` William Stearns
2003-12-10 20:25 ` Antony Stone
2003-12-10 20:55 ` William Stearns
2003-12-10 23:24 ` Home web server using front firewall Erick Sanz
2003-12-10 23:40 ` Antony Stone
2003-12-17 21:30 ` Erick Sanz
2003-12-17 21:56 ` Ian Hunter
2003-12-17 22:48 ` Antony Stone [this message]
2003-12-11 5:30 ` Access to Internal server via public address Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200312172248.50303.Antony@Soft-Solutions.co.uk \
--to=antony@soft-solutions.co.uk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.