Re: Opening :80 through a NATing iptables firewall.
Robb,
I have these rules in my /etc/init.d/firewall script:
# accept packets on port 80
/sbin/iptables -A INPUT -j ACCEPT -p tcp -i $externint \
-d $externip --dport http
# rewrite their destination
/sbin/iptables -t nat -A PREROUTING -p tcp -d $externip --dport http \
-j DNAT --to $webserver:80
# I believe the new packet will pass through the forward chain too
# Is this correct?
/sbin/iptables -P FORWARD ACCEPT
# If you want to use the external address to access the web server from an
# _internal_ machine, you need to trick the server into thinking the
# request is coming from the firewall...
# ($localip is the firewalls local ip address)
/sbin/iptables -t nat -I POSTROUTING -d $webserver -s $localnet -p tcp \
-j SNAT --to $localip
# Allow all packets to LAN
/sbin/iptables -A OUTPUT -j ACCEPT -o $localint \
-s $localnet -d $localnet
I don't remember the details... will these packets pass through the input,
forwards _and_ output chains?
Roger.
On Fri, 28 Sep 2001, Robb Kidd wrote:
> I'd just like to say how much you folks on the Debian lists rock. I've
> been lurking for quite a while[1] and have seen more helpfulness and
> ..eh.. cheer(?) towards your fellow users than on any other mailing list.
>
> Vineet Kumar wrote:
>
> > Looks good to me, though I'd be surprised if it works without also
> > adding this rule [...]:
> >
> > iptables -A FORWARD -o $INETDEV -i $LANDEV -s 192.168.1.10 -j ACCEPT \
> > -m state --state ESTABLISHED,RELATED
> >
> > or maybe you already had a more general rule allowing outbound traffic
> > to be forwarded from your lan to the Internet, in which case you don't
> > need to add anything and it should already be working.
>
>
> Indeed I had a more general rule[2] to let other computers inside the
> firewall play.
>
>
> > From my experience, though, you're doing things correctly! If there's a
> > better way to do it, I've never seen it.
>
>
> Whew! Thanks. This was bothering me. It was entirely too easy, so I
> was certain I'd left some great, gaping hole.
>
>
> [1] Trying to absorb knowledge from the collective, y'know.
>
> [2] iptables -A FORWARD -i $LANDEV -d $ANYWHERE -m state \
> --state ESTABLISHED,RELATED -j ACCEPT
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: