problem with ip tables help required

purushotham.krishnappa@xxxxxxxxxxx · Fri, 7 Feb 2003 11:26:21 +0530



Hi


The requirement is like this


              WebServer-------------------- - ----Router/Firewall---------------------------------------client
            10.60.90.7/8            eth1                  eth0                                         192.168.10.15
                              10.60.90.5/8                 192.168.10.5/24


Router/Firewall ----->RH linux 8 using iptables

client should be able to access the webserver
With out firewall rule i am able to access webserver  from client (ip forwarding is working fine)


I have already set iptable rule pls see the attached file


after FW rule is enable

i am not able to connect to webserver from 192.168.10.5  to 10.60.90.7    BUT i can ping 10.60.90.5
I need clients to connect from 192.168.10.0/24  to able to connect to only port 80 on 10.161.90.7.8

(See attached file: firescript.txt)
Rgds
Puru

# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# (2) User-defined chain for ACCEPTED TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP

# (3) INPUT chain rules
# Rules for incoming packets from LAN
iptables -A INPUT -p ALL -i eth1 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 10.60.90.5 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.10.5 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 10.0.0.255 -j ACCEPT

# Rules for incoming packets from the internet

# Packets for established connections
iptables -A INPUT -p ALL -d 192.168.10.5 -m state --state ESTABLISHED,RELATED -j ACCEPT

# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay

# ICMP rules
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT

# (4) FORWARD chain rules
# Accept the packets we want to forward
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# (5) OUTPUT chain rules
# ONly output packets with local address (no spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.60.90.5 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.10.5 -j ACCEPT

# (6) dynamic NAT to do port forwarding
iptables -t nat -A PREROUTING -p tcp -d 192.168.10.5 --dport 80 -j DNAT --to-destination 10.60.90.7