iptables and NAT

Tim ignored_mailbox at yahoo.com.au
Wed Jan 26 04:27:07 UTC 2011 

On Tue, 2011-01-25 at 22:43 +0530, Jatin K wrote:
> setup is like    ADSL----> NIC 1 of firewall  NIC 2 connects to the 
> webserver
>  
> if any request arrives to live ip on ADSL Router it sends it to the 
> firewall ( I've tested it by running httpd on firewall and it works
> fine )

Okay, I've done something similar in the past:

dial-up modem to gateway box (firewall and NAT), with a webserver on
another box further inside the LAN.

Looking through my old firewall configuration file, I had, on the
firewall:

default input rules set to drop
default output rules set to allow
input accept rule for this traffic
temporary input log rule for this traffic (for debugging)
input nat table prerouting rule for this traffic
input accept state rule for established & related
temporary input log state rule for established & related

And, on the internal webserver:

default input rules set to drop
default output rules set to allow
input accept rule for this traffic
input accept state rule for established & related

You can play around with putting log rules ahead of your accept and
redirect rules, to see attempts that may or may not get through.  And
log rules after them, to show what did get through.

And, since you're playing with NAT, the end of the firewall rule script
would have something like:

iptables --table nat --append POSTROUTING --out-interface ppp+ --jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

It's been a hell of a long time since I've had to do this, but I suspect
your problem may be to do with firewall rules on the web server box,
inside your LAN.  External IP addresses disallowed through the LAN
interface, perhaps?

These days I do it all on the modem/router.  Its firewall is up.  It
only allows through a webserver on occasions I'm temporarily running one
(with a forwarding rule on the modem/router).  All the client computers
run their own firewalls.

My public website is hosted externally.  Where *they* have to deal with
spam, security, uptime.  And I don't have to keep a permanent IP, nor
permanently running computer.

-- 
[tim at localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.

More information about the users mailing list