?
Solved

IPTABLES - Forwarding IP to APACHE  with invalid IP

Posted on 2012-08-16
8
Medium Priority
?
877 Views
Last Modified: 2012-08-21
Hey,

I`m stuck trying route the port 80 to my apache server, here my setup:

1 Debian as Gateway with 2 NICS
eth0 = In an bridge modem using pppoe for get the valid IP (VDSL connection - with static IP)
eth1 = 192.168.0.1 - My LAN

Modules
ip_tables
iptable_filter
iptable_mangle
iptable_nat
ipt_MASQUERADE
ipt_LOG
ipt_REDIRECT

Open in new window


Polices
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Open in new window


Roles
# Web Traffic
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d 192.168.0.3 -j ACCEPT
iptables -A FORWARD -o ppp0 -p udp -m multiport --dports 80,8080 -j ACCEPT
iptables -A FORWARD -o ppp0 -p tcp --dport 443 -j ACCEPT

# Bind 9
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -o ppp0 -p udp -m multiport --dports 53,5353 -j ACCEPT

iptables -t nat -A POSTROUTING -s 192 -o ppp0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 80 ppp0 -j DNAT --to 192.168.0.3

echo "1" > /proc/sys/net/ipv4/ip_forward

Open in new window


Sockets
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Open in new window


1 Debian with APACHE
eth0 = 192.168.0.3

What`s i`m  missing to get the apache working?
All other PCs in the network can browse, with phew random disconnects...
0
Comment
Question by:Wisdown
  • 4
  • 4
8 Comments
 
LVL 41

Accepted Solution

by:
noci earned 1000 total points
ID: 38304582
This one:
iptables -A FORWARD -o ppp0 -p udp -m multiport --dports 80,8080 -j ACCEPT

should have been:
iptables -A FORWARD -o ppp0 -p tcp -m multiport --dports 80,8080 -j ACCEPT

as HTTP is run over tcp streams.

Also your nat rule is lacking some network info:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
should be used.

Also how would you connect to you webserver on this firewall if you forward the HTTP traffic to a backend (192.168.0.3).
Also note that port 8080 isn't routed to the backend http server and that local access to port 8080 (INPUT) is not allowed.
0
 
LVL 1

Author Comment

by:Wisdown
ID: 38305878
The:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE

Solved an problem to access the yahoo / linkedin, the page never end to load till get timeout... (now this issue still happenin on experts-exchange, then i switch my connection to post here)
Thanks for this hint!!!

This line:
iptables -A FORWARD -o ppp0 -p tcp -m multiport --dports 80,8080 -j ACCEPT

Was, correct, i just wrote wrong :(

Trying make the things more easy, i removed the eth1, now i only have eth0 and ppp0, i get my ip from ppp0, so how people from internet gonna e able to connect in my other pc runing apache if i dont redirect tha port 80? I dind get this part:

Also how would you connect to you webserver on this firewall if you forward the HTTP traffic to a backend (192.168.0.3).

The firewall is on my gateway debian 1 (192.168.0.1), the apache is on another pc debian 2 (192.168.0.3)
0
 
LVL 41

Expert Comment

by:noci
ID: 38305927
then you most probably need to NAT 80, 8080 as well as 443
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:Wisdown
ID: 38306194
i have add this:
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 80 -j DNAT --to 192.168.0.3:80
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 8080 -j DNAT --to 192.168.0.3:8080
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 8081 -j DNAT --to 192.168.0.3:8081
IPTABLES -t nat -A PREROUTING -p tcp -i ppp0 --dport 443 -j DNAT --to 192.168.0.3:443

IPTABLES -A OUTPUT  -p tcp -m tcp -m multiport --dports 22,80,443,25,143,8080,8081 -m state --state NEW -j ACCEPT
IPTABLES -A INPUT   -p tcp -m tcp -m multiport --dports 22,80,443,25,143,8080,8081 -m state --state NEW -j ACCEPT
IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 22,80,443,25,143,8080,8081 -m state --state NEW -j ACCEPT

Open in new window


Still not working, any other hint?
If i set my hosts in another PC to point the domain to 192.168.0.3 (IP from debian 2 runing Apache) i can see the websites.

Then i removed the hosts config, restarted the pc, and no luck trying acess the websites by the web
0
 
LVL 41

Expert Comment

by:noci
ID: 38306361
When using --state NEW ....

you need a first rule
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

this is to allow the trailing packets, as with statefull inspection you only inspect the first packet of a stream.  ( --state NEW filters the first packet of a stream... )
0
 
LVL 1

Author Comment

by:Wisdown
ID: 38311538
Sorry for the delay on answer, was traveling...

I checked my homeserver, and noticed the service was runing, the "problem" was hapenning when i tried access the domains from my local network, i know i can access they adding each domain on my hosts file, but there another way?

Trying access using my connection (the one with static ip) i get stuck in a loop and then timeout. If i use other connection, the domains are fine...
0
 
LVL 41

Expert Comment

by:noci
ID: 38313704
then you most probably need to setup your DNS servers correctly,
In unix/linux you need to setup the /etc/resolv.conf file.
you need to know the ip addresses of your DNS servers. [ given by your ISP ].

they need to be addes to the /etc/resolv.conf as:

nameserver ip.ad.dr.ess

Each on a separate line.
0
 
LVL 1

Author Comment

by:Wisdown
ID: 38319024
I give up try set the debian and did an try on pfsense...
Answering the questions of intaller using from my previous setup, everything is working now...

Dunno what the setup did, but at least i get this up finally.
Thanks for try help anyway.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword This article was written many years ago, in the days when PHP supported the MySQL extension (http://php.net/manual/en/function.mysql-connect.php).  Today (http://php.net/manual/en/migration70.removed-exts-sapis.php) you would not use MySQL…
The title says it all. Writing any type of PHP Application or API code that provides high throughput, while under a heavy load, seems to be an arcane art form (Black Magic). This article aims to provide some general guidelines for producing this typ…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month16 days, 14 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question