Newbie Question - Redirect traffic to internal Web server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 17 October 2002 8:24 pm, Flávio Brito wrote:

> Dear List
>
> I have two servers in my net,one with a valid IP. I want to redirect all
> the HTTP Traffic(external -> internal) to my internal Web server I'm
> trying to learn iptables, but when I test my rules, sometimes when I try
> to erase them it appears not do what I want.

What makes you think that clearing the rules is not working properly ?

> Questions
> 1) I use it to erase my rules. But sometimes without sucess. Bug?
> #erasing rules
> iptables -F

This will flush (erase) all the rules in the filter table of all your chains.

> iptables -F -t nat

This will flush all the rules in the nat table of all your chains.

After these two commands you should not have any rules left in your system 
(unless you created any in the mangle table, which is unlikely....)

> iptables -X

This will delete all your user-defined chains.

> iptables -X -t nat

This command is not necessary.

> iptables -Z

This will zero the byte and packet counters in all chains.   You may want to 
do this, but it is nothing to do with clearing the rules.

> iptables -Z  -t nat

This will zero the counters in the nat tables.   Again this is nothing to do 
with clearing the rules.

> 2) To redirect the traffic to my internal server I must have a DNS in my
> FW server?  or only redirect?

DNS is irrelevant as far as redirecting packets is concerned.   If DNS works 
on your internal network as it is, nothing needs to be changed.   Remember 
that netfilter works on IP addresses, not hostnames, therefore there are no 
DNS lookups required.

>       	[FW]-eth0-> [200.179.213.245]------> Internet
>
> 	|eth1 ->[192.168.1.1]
> 	| ---------------> [Web Server ] 192.168.1.33
> 	|----------------> [LAN Hosts] [192.168.1.2 to 192.168.1.100]
>
> eth0-> 200.179.213.245
> eth1-> 192.168.1.1
>
> Can someone help me with this rules?
>
> iptables -t nat -A POSTROUTING -s 192.168.1.10/24 -d any/0 -j MASQUERADE

Remove the "-d any/0".   It is redundant and reduces legibility.   This rule 
will source translate all outgoing packets from your network to the Internet 
to have the external address of your firewall (so that replies can come back).

> iptables -A INPUT -p tcp -s 192.168.1.33 -d 0/0 --dport www -j ACCEPT
> iptables -A OUTPUT -p tcp -s 192.168.1.33 -d 0/0 --dport www -j ACCEPT

You should not be using the INPUT & OUTPUT chains.   These are only for 
packets addressed to the firewall itself, or generated on the firewall, 
respectively.

Instead you should use the FORWARD chain for packets going *through* your 
firewall:

iptables -A FORWARD -p tcp --dport 80 -d 192.168.1.33 -j ACCEPT

(Note also the -d instead of -s : you want to allow packets going *to* the 
web server, therefore it is the destination).

> iptables -A PREROUTING -t nat -p tcp -d 0/0 --dport www -j REDIRECT
> --to-port 80

REDIRECT is only for packets terminating on the firewall machine itself.   
Try this instead:

iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j SNAT --to 
192.168.1.33

Note I have added a "-i eth0" so that this rule applies only to packet coming 
in via your external interface - otherwise all web requests from your 
internal network to the Internet would get redirected to your internal server 
as well (and that wouldn't work properly for other reasons I won't go into 
now).

Finally you should have a default policy on your INPUT and FORWARD chains:

iptables -P INPUT DROP
iptables -P FORWARD DROP

and you want to allow reply packets to go through your firewall as well:

iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

See how that works out :-)

Antony.

-- 

This is not a rehearsal.
This is Real Life.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux