[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Opening :80 through a NATing iptables firewall.


I have these rules in my /etc/init.d/firewall script:

# accept packets on port 80
/sbin/iptables -A INPUT -j ACCEPT -p tcp -i $externint \
                        -d $externip --dport http

# rewrite their destination
/sbin/iptables -t nat -A PREROUTING -p tcp -d $externip --dport http \
                        -j DNAT --to $webserver:80

# I believe the new packet will pass through the forward chain too
# Is this correct?
/sbin/iptables -P FORWARD ACCEPT

# If you want to use the external address to access the web server from an
# _internal_ machine, you need to trick the server into thinking the
# request is coming from the firewall...
# ($localip is the firewalls local ip address)
/sbin/iptables -t nat -I POSTROUTING -d $webserver -s $localnet -p tcp \
                        -j SNAT --to $localip

# Allow all packets to LAN
/sbin/iptables -A OUTPUT -j ACCEPT -o $localint \
	                -s $localnet -d $localnet

I don't remember the details... will these packets pass through the input,
forwards _and_ output chains?


On Fri, 28 Sep 2001, Robb Kidd wrote:

> 	I'd just like to say how much you folks on the Debian lists rock.  I've
> been lurking for quite a while[1] and have seen more helpfulness and
> ..eh.. cheer(?) towards your fellow users than on any other mailing list.
> Vineet Kumar wrote:
> > Looks good to me, though I'd be surprised if it works without also
> > adding this rule [...]:
> >
> > iptables -A FORWARD -o $INETDEV -i $LANDEV -s -j ACCEPT \
> >  -m state --state ESTABLISHED,RELATED
> >
> > or maybe you already had a more general rule allowing outbound traffic
> > to be forwarded from your lan to the Internet, in which case you don't
> > need to add anything and it should already be working.
> 	Indeed I had a more general rule[2] to let other computers inside the
> firewall play.
> > From my experience, though, you're doing things correctly! If there's a
> > better way to do it, I've never seen it.
> 	Whew!  Thanks.  This was bothering me.  It was entirely too easy, so I
> was certain I'd left some great, gaping hole.
> [1] Trying to absorb knowledge from the collective, y'know.
> [2] iptables -A FORWARD -i $LANDEV -d $ANYWHERE -m state \
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: