Some day ago, a friend post one problem for mi. whist
this texts:
I have a server whit 2 interfaces of network, where
eth0 is the interfaces
connetc to internet and eth1 to the internal network.
This server hace a
Squid only, but i setting the iptables for protection
to the server.
Iptables run from script and in this script i setting
the redirection for
the other server in my internal network to port 80 and
443. I follow the
diferent how to and many manual, but the redirect no
work, the NAT
POSTROUTING work and the squid work to. My DNS is Ok,
because the consult
whit dig command the answer is the assigned ip. Here
put the copy of my
script:
I was do all instruccion for that problem but I have
the same problem, te server dont redirect to webserver
for ports 80 and 443 all the rest services are ok only
that services have problems, thanks for all
now my /etc/sysconfig/iptables is this:
# Firewall configuration written by
redhat-config-securitylevel
# Manual customization of this file is not
recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
#-A INPUT -j RH-Firewall-1-INPUT
#-A FORWARD -j RH-Firewall-1-INPUT
#-A RH-Firewall-1-INPUT -i lo -j ACCEPT
#-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j
ACCEPT
#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p
tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p
tcp --dport 80 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p
tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p
tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with
icmp-host-prohibited
#todo al localhost y a infocom
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -s rango_ip -d 0/0 -p all -j ACCEPT
-A INPUT -i eth1 -s 172.16.0.0/24 -d 172.16.0.1/32 -p
all -j ACCEPT
#negamos el ping
-A INPUT -i eth0 -p ICMP --icmp-type echo-request -j
DROP
-A INPUT -i eth1 -p ICMP --icmp-type echo-request -j
DROP
## SALIDA SMTP - Para que el servidor se pueda
conectar a otros MTA
# Permitir salida SMTP
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
## DNS Completo. ACEPTADO.
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
## SQUID
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
## FORWARD
-A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 80
-j ACCEPT
-A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 443
-j ACCEPT
-A FORWARD -i eth1 -p tcp -d 172.16.0.3/32 --dport 80
-j ACCEPT
-A FORWARD -i eth1 -p tcp -d 172.16.0.3/32 --dport 443
-j ACCEPT
-A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 53
-j ACCEPT
-A FORWARD -i eth1 -p udp -s 172.16.0.0/24 --dport 53
-j ACCEPT
##OUTPUT
-A OUTPUT -o eth1 -p tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth1 -p tcp --dport 443 -j ACCEPT
-A OUTPUT -o eth1 -p tcp --dport 80 -m state --state
NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -p tcp --dport 443 -m state --state
NEW,ESTABLISHED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
##NAT e intranet des de el portal
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
172.16.0.3:80
-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to
172.16.0.3:443
-A PREROUTING -i eth0 -p tcp --dport 80 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A PREROUTING -i eth0 -p tcp --dport 443 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 172.16.0.6/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.10/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.9/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.138/32 -o eth0 -j
MASQUERADE
COMMIT
--------------------------------------------------------------
my /etc/sysconfig/iptables-
# Additional iptables modules (nat helper)
# Default: -empty-
IPTABLES_MODULES="ip_nat_ftp"
# Save current firewall rules on stop.
# Value: yes|no, default: no
#IPTABLES_SAVE_ON_STOP="no"
# Save current firewall rules on restart.
# Value: yes|no, default: no
#IPTABLES_SAVE_ON_RESTART="no"
# Save (and restore) rule counter.
# Value: yes|no, default: no
#IPTABLES_SAVE_COUNTER="no"
# Numeric status output
# Value: yes|no, default: no
#IPTABLES_STATUS_NUMERIC="no"
-----------------------------------------
the command iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 200.55.135.8/29 anywhere
ACCEPT all -- 172.16.0.0/24
valinor.mincex.org
DROP icmp -- anywhere anywhere
icmp echo-request
DROP icmp -- anywhere anywhere
icmp echo-request
ACCEPT tcp -- anywhere anywhere
tcp spt:smtp
ACCEPT tcp -- anywhere anywhere
tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere
tcp dpt:domain
ACCEPT udp -- anywhere anywhere
udp dpt:domain
ACCEPT tcp -- anywhere anywhere
tcp dpt:squid
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 172.16.0.0/24 anywhere
tcp dpt:http
ACCEPT tcp -- 172.16.0.0/24 anywhere
tcp dpt:https
ACCEPT tcp -- anywhere
armagedon.mincex.orgtcp dpt:http
ACCEPT tcp -- anywhere
armagedon.mincex.orgtcp dpt:https
ACCEPT tcp -- 172.16.0.0/24 anywhere
tcp dpt:domain
ACCEPT udp -- 172.16.0.0/24 anywhere
udp dpt:domain
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere
tcp dpt:http
ACCEPT tcp -- anywhere anywhere
tcp dpt:https
ACCEPT tcp -- anywhere anywhere
state NEW,ESTABLISHED tcp dpt:http
ACCEPT tcp -- anywhere anywhere
state NEW,ESTABLISHED tcp dpt:https
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere
reject-with icmp-host-prohibited
--------------------------------------------------------
and the command iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere
tcp dpt:http to:172.16.0.3:80
DNAT tcp -- anywhere anywhere
tcp dpt:https to:172.16.0.3:443
ACCEPT tcp -- anywhere anywhere
state NEW,ESTABLISHED tcp dpt:http
ACCEPT tcp -- anywhere anywhere
state NEW,ESTABLISHED tcp dpt:https
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- ariadne.mincex.org anywhere
MASQUERADE all -- 172.16.0.10 anywhere
MASQUERADE all -- 172.16.0.9 anywhere
MASQUERADE all -- maprinter.mincex.org anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
______________________________________________
Renovamos el Correo Yahoo!
Nuevos servicios, m?s seguridad
http://correo.yahoo.es
