Good Morning,
I am definitely not understanding something after reading a handful of
tutorials and mail threads. I though I'd ask the experts for a hand.
I have a web server that sits behind the firewall. I need the web server to
have access to the internet (http traffic).
I have a handful of dnat rules sending http traffic and a couple of others
to our internal web server.
The web server cannot access the internet. I believe that web requests are
being sent back to the web server?
Are there any special rules that I would need to add to allow the web server
access to DNS and HTTP?
Thanks,
John
#=================================
# Set some variables
#=================================
IPT=/sbin/iptables
LOGOPT="--log-level=3 -m limit --limit 1/second --limit-burst 10"
EXTIP="xxx.xxx.xxx.xxx"
WEBIP="192.168.100.254"
EXTNIC="eth2"
INTNIC="eth0"
SHUNIP=""
echo "Done with variables"
#=================================
#Load modules
#=================================
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Finished loading modules"
#=================================
# Check if we can run iptables
#=================================
if [ ! -x $IPT ]
then
echo "firewall: can't execute \IPTABLES"
exit 1
fi
#=================================
# Flush and build chains
#=================================
$IPT --flush
$IPT --table nat --flush
$IPT --delete-chain
$IPT --table nat --delete-chain
# LOGGING CHAIN
$IPT -N LDROP
$IPT -A LDROP -j LOG --log-prefix "IPT Drop: " $LOGOPT
$IPT -A LDROP -j DROP
$IPT -N LFLOOD
$IPT -A LFLOOD -j LOG --log-prefix "IPT Flood: " $LOGOPT
$IPT -A LFLOOD -j DROP
$IPT -N LFLAGS
$IPT -A LFLAGS -j LOG --log-prefix "IPT Flags: " $LOGOPT
$IPT -A LFLAGS -j DROP
$IPT -N LSHUN
$IPT -A LSHUN -j LOG --log-prefix "IPT Shun: " $LOGOPT
$IPT -A LSHUN -j DROP
$IPT -N LPRE
$IPT -A LPRE -j LOG --log-prefix "IPT PreRoute: " $LOGOPT
echo "Chains flushed and created"
#=================================
#Take care of the shun'd IP's
#=================================
$IPT -N SHUN
for ip in $SHUNIP; do
$IPT -A SHUN -s $ip -j LSHUN
$IPT -A SHUN -d $ip -j LSHUN
done
$IPT -A INPUT -j SHUN
$IPT -A INPUT -j ACCEPT
$IPT -A OUTPUT -j SHUN
$IPT -A OUTPUT -j ACCEPT
$IPT --table nat --append POSTROUTING --out-interface $EXTNIC -j MASQUERADE
$IPT --append FORWARD --in-interface $INTNIC -j ACCEPT
echo "Done with SHUN IP's"
#=================================
# Forwards
#=================================
#$IPT -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128 #
Put through squid
$IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 3389 -j DNAT
--to-destination $WEBIP # Term Svc
$IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 80 -j DNAT
--to-destination $WEBIP # HTTP Traffic
$IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 20 -j DNAT
--to-destination $WEBIP # FTP
$IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 21 -j DNAT
--to-destination $WEBIP # FTP
$IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 1755 -j DNAT
--to-destination $WEBIP # Windows Media
$IPT -t nat -A PREROUTING -i $EXTNIC -p udp -d $EXTIP --dport 1755 -j DNAT
--to-destination $WEBIP # Windows Media
echo "Done with Forwards"
echo "Firewall Complete"
iptables-errors
