Re: iptables and NAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2011-01-25 at 22:43 +0530, Jatin K wrote:
> setup is like    ADSL----> NIC 1 of firewall  NIC 2 connects to the 
> webserver
>  
> if any request arrives to live ip on ADSL Router it sends it to the 
> firewall ( I've tested it by running httpd on firewall and it works
> fine )

Okay, I've done something similar in the past:

dial-up modem to gateway box (firewall and NAT), with a webserver on
another box further inside the LAN.

Looking through my old firewall configuration file, I had, on the
firewall:

default input rules set to drop
default output rules set to allow
input accept rule for this traffic
temporary input log rule for this traffic (for debugging)
input nat table prerouting rule for this traffic
input accept state rule for established & related
temporary input log state rule for established & related

And, on the internal webserver:

default input rules set to drop
default output rules set to allow
input accept rule for this traffic
input accept state rule for established & related

You can play around with putting log rules ahead of your accept and
redirect rules, to see attempts that may or may not get through.  And
log rules after them, to show what did get through.

And, since you're playing with NAT, the end of the firewall rule script
would have something like:

iptables --table nat --append POSTROUTING --out-interface ppp+ --jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

It's been a hell of a long time since I've had to do this, but I suspect
your problem may be to do with firewall rules on the web server box,
inside your LAN.  External IP addresses disallowed through the LAN
interface, perhaps?

These days I do it all on the modem/router.  Its firewall is up.  It
only allows through a webserver on occasions I'm temporarily running one
(with a forwarding rule on the modem/router).  All the client computers
run their own firewalls.

My public website is hosted externally.  Where *they* have to deal with
spam, security, uptime.  And I don't have to keep a permanent IP, nor
permanently running computer.

-- 
[[email protected] ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.



-- 
users mailing list
[email protected]
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux