Re: Access from inside proxy to server with apache

[Mart Frauenlob <mart.frauenlob@xxxxxxxxx>]

Javi Legido wrote:
> Hi.
>
> I have the following schema:
>
> [A]
>
> [Pc] (80) => (80) [Router] (80) => (80) [Server]
>
> [B]
>
> [Pc] (80) => (80) [Proxy] ¿? => (80) [Router] (80) => (80) [Server]
>
> More data:
>
> -The server has iptables and Apache
> -The router has port 80 tcp redirected to the server
>
> Troubleshooting:
>
> -When I 'switch on' iptables, schema [B] fails (schema [A] always works fine)
> -When I 'switch off' iptables, schema [B] works fine
>
> The output:
>
> ************************ iptables -S ***************************
>
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
> -A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -s 192.168.1.30/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 4080 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --dport 4080 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 23 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -j LOG --log-prefix "INPUT_"
> -A INPUT -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT
> -A FORWARD -p udp -m udp --dport 5865 -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT
> -A FORWARD -p udp -m udp --dport 8443 -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 8443 -j ACCEPT
> -A FORWARD -p udp -m udp --dport 4666 -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT
> -A FORWARD -j LOG --log-prefix "FORWARD"
> -A FORWARD -j REJECT --reject-with icmp-port-unreachable
> -A OUTPUT -o lo -j ACCEPT
>
> ******************** /var/log/messages ****************************
>
> Dec 17 12:32:24 servidor kernel: [1120947.846431] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56
> TOS=0x00 PREC=0x00 TTL=155 ID=31428 PROTO=ICMP TYPE=3 CODE=4
> [SRC=192.168.1.2 DST=public_ip_1 LEN=1500 TOS=0x00 PREC=0x00 TTL=63
> ID=16093 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
> Dec 17 12:32:54 servidor kernel: [1120979.925513] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:32:57 servidor kernel: [1120983.069334] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:32:57 servidor kernel: [1120983.693341] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:33:03 servidor kernel: [1120989.596154] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:33:03 servidor kernel: [1120990.224560] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:33:15 servidor kernel: [1121001.913149] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:33:15 servidor kernel: [1121002.550066] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:33:45 servidor kernel: [1121033.566738] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31434 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=1
> Dec 17 12:33:46 servidor kernel: [1121034.571848] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31435 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=2
> Dec 17 12:33:47 servidor kernel: [1121035.592819] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31436 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=3
> Dec 17 12:33:48 servidor kernel: [1121036.789595] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31437 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=4
> Dec 17 12:33:49 servidor kernel: [1121037.817587] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31438 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=5
> Dec 17 12:33:50 servidor kernel: [1121038.945584] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31439 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=6
> Dec 17 12:33:51 servidor kernel: [1121039.974620] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31440 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=7
> Dec 17 12:33:52 servidor kernel: [1121040.974610] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31441 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=8
> Dec 17 12:33:53 servidor kernel: [1121041.978981] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31442 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=9
> Dec 17 12:33:54 servidor kernel: [1121042.991844] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31443 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=10
>
> **************************************** end
> *******************************************+
>
> Notice there are 2 different ip's: public_ip_2 and public_ip_1. Maybe
> there is the key...
>
> Can anybody helps me to make iptables let pass the traffic to the schema [B]?
>
> PD: I tested two simillar schemas [b]: two machines from inside a
> proxy, and the two machines failed to connect to server.
>
> Thanks in advice.
>
> Javier
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>   
hello,

you say traffic on port 80 is redirected. how?
i do not see any DNAT rules.
also if the destination address is changed by nat, the packets get 
routed over the other interface.
that is why you need to allow the traffic in the FORWARD chain.
i do not see any of those in your rules above.
if i understand it correctly and you have two external interfaces on the 
router, there are no rules either.
and with two external interfaces your routing could come into account. 
but you did not provide any
information about that.

greets

mart

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html