Wisdown
asked on
IPTABLES - Forwarding IP to APACHE with invalid IP
Hey,
I`m stuck trying route the port 80 to my apache server, here my setup:
1 Debian as Gateway with 2 NICS
eth0 = In an bridge modem using pppoe for get the valid IP (VDSL connection - with static IP)
eth1 = 192.168.0.1 - My LAN
1 Debian with APACHE
eth0 = 192.168.0.3
What`s i`m missing to get the apache working?
All other PCs in the network can browse, with phew random disconnects...
I`m stuck trying route the port 80 to my apache server, here my setup:
1 Debian as Gateway with 2 NICS
eth0 = In an bridge modem using pppoe for get the valid IP (VDSL connection - with static IP)
eth1 = 192.168.0.1 - My LAN
Modules
ip_tables
iptable_filter
iptable_mangle
iptable_nat
ipt_MASQUERADE
ipt_LOG
ipt_REDIRECT
Polices
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
Roles
# Web Traffic
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d 192.168.0.3 -j ACCEPT
iptables -A FORWARD -o ppp0 -p udp -m multiport --dports 80,8080 -j ACCEPT
iptables -A FORWARD -o ppp0 -p tcp --dport 443 -j ACCEPT
# Bind 9
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -o ppp0 -p udp -m multiport --dports 53,5353 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192 -o ppp0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 80 ppp0 -j DNAT --to 192.168.0.3
echo "1" > /proc/sys/net/ipv4/ip_forward
Sockets
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
1 Debian with APACHE
eth0 = 192.168.0.3
What`s i`m missing to get the apache working?
All other PCs in the network can browse, with phew random disconnects...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
then you most probably need to NAT 80, 8080 as well as 443
ASKER
i have add this:
Still not working, any other hint?
If i set my hosts in another PC to point the domain to 192.168.0.3 (IP from debian 2 runing Apache) i can see the websites.
Then i removed the hosts config, restarted the pc, and no luck trying acess the websites by the web
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 80 -j DNAT --to 192.168.0.3:80
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 8080 -j DNAT --to 192.168.0.3:8080
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 8081 -j DNAT --to 192.168.0.3:8081
IPTABLES -t nat -A PREROUTING -p tcp -i ppp0 --dport 443 -j DNAT --to 192.168.0.3:443
IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 22,80,443,25,143,8080,8081 -m state --state NEW -j ACCEPT
IPTABLES -A INPUT -p tcp -m tcp -m multiport --dports 22,80,443,25,143,8080,8081 -m state --state NEW -j ACCEPT
IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 22,80,443,25,143,8080,8081 -m state --state NEW -j ACCEPT
Still not working, any other hint?
If i set my hosts in another PC to point the domain to 192.168.0.3 (IP from debian 2 runing Apache) i can see the websites.
Then i removed the hosts config, restarted the pc, and no luck trying acess the websites by the web
When using --state NEW ....
you need a first rule
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
this is to allow the trailing packets, as with statefull inspection you only inspect the first packet of a stream. ( --state NEW filters the first packet of a stream... )
you need a first rule
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
this is to allow the trailing packets, as with statefull inspection you only inspect the first packet of a stream. ( --state NEW filters the first packet of a stream... )
ASKER
Sorry for the delay on answer, was traveling...
I checked my homeserver, and noticed the service was runing, the "problem" was hapenning when i tried access the domains from my local network, i know i can access they adding each domain on my hosts file, but there another way?
Trying access using my connection (the one with static ip) i get stuck in a loop and then timeout. If i use other connection, the domains are fine...
I checked my homeserver, and noticed the service was runing, the "problem" was hapenning when i tried access the domains from my local network, i know i can access they adding each domain on my hosts file, but there another way?
Trying access using my connection (the one with static ip) i get stuck in a loop and then timeout. If i use other connection, the domains are fine...
then you most probably need to setup your DNS servers correctly,
In unix/linux you need to setup the /etc/resolv.conf file.
you need to know the ip addresses of your DNS servers. [ given by your ISP ].
they need to be addes to the /etc/resolv.conf as:
nameserver ip.ad.dr.ess
Each on a separate line.
In unix/linux you need to setup the /etc/resolv.conf file.
you need to know the ip addresses of your DNS servers. [ given by your ISP ].
they need to be addes to the /etc/resolv.conf as:
nameserver ip.ad.dr.ess
Each on a separate line.
ASKER
I give up try set the debian and did an try on pfsense...
Answering the questions of intaller using from my previous setup, everything is working now...
Dunno what the setup did, but at least i get this up finally.
Thanks for try help anyway.
Answering the questions of intaller using from my previous setup, everything is working now...
Dunno what the setup did, but at least i get this up finally.
Thanks for try help anyway.
ASKER
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
Solved an problem to access the yahoo / linkedin, the page never end to load till get timeout... (now this issue still happenin on experts-exchange, then i switch my connection to post here)
Thanks for this hint!!!
This line:
iptables -A FORWARD -o ppp0 -p tcp -m multiport --dports 80,8080 -j ACCEPT
Was, correct, i just wrote wrong :(
Trying make the things more easy, i removed the eth1, now i only have eth0 and ppp0, i get my ip from ppp0, so how people from internet gonna e able to connect in my other pc runing apache if i dont redirect tha port 80? I dind get this part:
The firewall is on my gateway debian 1 (192.168.0.1), the apache is on another pc debian 2 (192.168.0.3)