IPTABLES - Forwarding IP to APACHE with invalid IP

Hey,

I`m stuck trying route the port 80 to my apache server, here my setup:

1 Debian as Gateway with 2 NICS
eth0 = In an bridge modem using pppoe for get the valid IP (VDSL connection - with static IP)
eth1 = 192.168.0.1 - My LAN

Modules
ip_tables
iptable_filter
iptable_mangle
iptable_nat
ipt_MASQUERADE
ipt_LOG
ipt_REDIRECT

Open in new window


Polices
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Open in new window


Roles
# Web Traffic
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d 192.168.0.3 -j ACCEPT
iptables -A FORWARD -o ppp0 -p udp -m multiport --dports 80,8080 -j ACCEPT
iptables -A FORWARD -o ppp0 -p tcp --dport 443 -j ACCEPT

# Bind 9
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -o ppp0 -p udp -m multiport --dports 53,5353 -j ACCEPT

iptables -t nat -A POSTROUTING -s 192 -o ppp0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 80 ppp0 -j DNAT --to 192.168.0.3

echo "1" > /proc/sys/net/ipv4/ip_forward

Open in new window


Sockets
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Open in new window


1 Debian with APACHE
eth0 = 192.168.0.3

What`s i`m  missing to get the apache working?
All other PCs in the network can browse, with phew random disconnects...
LVL 1
WisdownAsked:
Who is Participating?
 
nociConnect With a Mentor Software EngineerCommented:
This one:
iptables -A FORWARD -o ppp0 -p udp -m multiport --dports 80,8080 -j ACCEPT

should have been:
iptables -A FORWARD -o ppp0 -p tcp -m multiport --dports 80,8080 -j ACCEPT

as HTTP is run over tcp streams.

Also your nat rule is lacking some network info:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
should be used.

Also how would you connect to you webserver on this firewall if you forward the HTTP traffic to a backend (192.168.0.3).
Also note that port 8080 isn't routed to the backend http server and that local access to port 8080 (INPUT) is not allowed.
0
 
WisdownAuthor Commented:
The:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE

Solved an problem to access the yahoo / linkedin, the page never end to load till get timeout... (now this issue still happenin on experts-exchange, then i switch my connection to post here)
Thanks for this hint!!!

This line:
iptables -A FORWARD -o ppp0 -p tcp -m multiport --dports 80,8080 -j ACCEPT

Was, correct, i just wrote wrong :(

Trying make the things more easy, i removed the eth1, now i only have eth0 and ppp0, i get my ip from ppp0, so how people from internet gonna e able to connect in my other pc runing apache if i dont redirect tha port 80? I dind get this part:

Also how would you connect to you webserver on this firewall if you forward the HTTP traffic to a backend (192.168.0.3).

The firewall is on my gateway debian 1 (192.168.0.1), the apache is on another pc debian 2 (192.168.0.3)
0
 
nociSoftware EngineerCommented:
then you most probably need to NAT 80, 8080 as well as 443
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
WisdownAuthor Commented:
i have add this:
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 80 -j DNAT --to 192.168.0.3:80
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 8080 -j DNAT --to 192.168.0.3:8080
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 8081 -j DNAT --to 192.168.0.3:8081
IPTABLES -t nat -A PREROUTING -p tcp -i ppp0 --dport 443 -j DNAT --to 192.168.0.3:443

IPTABLES -A OUTPUT  -p tcp -m tcp -m multiport --dports 22,80,443,25,143,8080,8081 -m state --state NEW -j ACCEPT
IPTABLES -A INPUT   -p tcp -m tcp -m multiport --dports 22,80,443,25,143,8080,8081 -m state --state NEW -j ACCEPT
IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 22,80,443,25,143,8080,8081 -m state --state NEW -j ACCEPT

Open in new window


Still not working, any other hint?
If i set my hosts in another PC to point the domain to 192.168.0.3 (IP from debian 2 runing Apache) i can see the websites.

Then i removed the hosts config, restarted the pc, and no luck trying acess the websites by the web
0
 
nociSoftware EngineerCommented:
When using --state NEW ....

you need a first rule
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

this is to allow the trailing packets, as with statefull inspection you only inspect the first packet of a stream.  ( --state NEW filters the first packet of a stream... )
0
 
WisdownAuthor Commented:
Sorry for the delay on answer, was traveling...

I checked my homeserver, and noticed the service was runing, the "problem" was hapenning when i tried access the domains from my local network, i know i can access they adding each domain on my hosts file, but there another way?

Trying access using my connection (the one with static ip) i get stuck in a loop and then timeout. If i use other connection, the domains are fine...
0
 
nociSoftware EngineerCommented:
then you most probably need to setup your DNS servers correctly,
In unix/linux you need to setup the /etc/resolv.conf file.
you need to know the ip addresses of your DNS servers. [ given by your ISP ].

they need to be addes to the /etc/resolv.conf as:

nameserver ip.ad.dr.ess

Each on a separate line.
0
 
WisdownAuthor Commented:
I give up try set the debian and did an try on pfsense...
Answering the questions of intaller using from my previous setup, everything is working now...

Dunno what the setup did, but at least i get this up finally.
Thanks for try help anyway.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.