Link to home
Start Free TrialLog in
Avatar of Wisdown
WisdownFlag for Brazil

asked on

IPTABLES - Forwarding IP to APACHE with invalid IP

Hey,

I`m stuck trying route the port 80 to my apache server, here my setup:

1 Debian as Gateway with 2 NICS
eth0 = In an bridge modem using pppoe for get the valid IP (VDSL connection - with static IP)
eth1 = 192.168.0.1 - My LAN

Modules
ip_tables
iptable_filter
iptable_mangle
iptable_nat
ipt_MASQUERADE
ipt_LOG
ipt_REDIRECT

Open in new window


Polices
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Open in new window


Roles
# Web Traffic
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d 192.168.0.3 -j ACCEPT
iptables -A FORWARD -o ppp0 -p udp -m multiport --dports 80,8080 -j ACCEPT
iptables -A FORWARD -o ppp0 -p tcp --dport 443 -j ACCEPT

# Bind 9
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -o ppp0 -p udp -m multiport --dports 53,5353 -j ACCEPT

iptables -t nat -A POSTROUTING -s 192 -o ppp0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 80 ppp0 -j DNAT --to 192.168.0.3

echo "1" > /proc/sys/net/ipv4/ip_forward

Open in new window


Sockets
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Open in new window


1 Debian with APACHE
eth0 = 192.168.0.3

What`s i`m  missing to get the apache working?
All other PCs in the network can browse, with phew random disconnects...
ASKER CERTIFIED SOLUTION
Avatar of noci
noci

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Wisdown

ASKER

The:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE

Solved an problem to access the yahoo / linkedin, the page never end to load till get timeout... (now this issue still happenin on experts-exchange, then i switch my connection to post here)
Thanks for this hint!!!

This line:
iptables -A FORWARD -o ppp0 -p tcp -m multiport --dports 80,8080 -j ACCEPT

Was, correct, i just wrote wrong :(

Trying make the things more easy, i removed the eth1, now i only have eth0 and ppp0, i get my ip from ppp0, so how people from internet gonna e able to connect in my other pc runing apache if i dont redirect tha port 80? I dind get this part:

Also how would you connect to you webserver on this firewall if you forward the HTTP traffic to a backend (192.168.0.3).

The firewall is on my gateway debian 1 (192.168.0.1), the apache is on another pc debian 2 (192.168.0.3)
Avatar of noci
noci

then you most probably need to NAT 80, 8080 as well as 443
Avatar of Wisdown

ASKER

i have add this:
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 80 -j DNAT --to 192.168.0.3:80
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 8080 -j DNAT --to 192.168.0.3:8080
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 8081 -j DNAT --to 192.168.0.3:8081
IPTABLES -t nat -A PREROUTING -p tcp -i ppp0 --dport 443 -j DNAT --to 192.168.0.3:443

IPTABLES -A OUTPUT  -p tcp -m tcp -m multiport --dports 22,80,443,25,143,8080,8081 -m state --state NEW -j ACCEPT
IPTABLES -A INPUT   -p tcp -m tcp -m multiport --dports 22,80,443,25,143,8080,8081 -m state --state NEW -j ACCEPT
IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 22,80,443,25,143,8080,8081 -m state --state NEW -j ACCEPT

Open in new window


Still not working, any other hint?
If i set my hosts in another PC to point the domain to 192.168.0.3 (IP from debian 2 runing Apache) i can see the websites.

Then i removed the hosts config, restarted the pc, and no luck trying acess the websites by the web
When using --state NEW ....

you need a first rule
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

this is to allow the trailing packets, as with statefull inspection you only inspect the first packet of a stream.  ( --state NEW filters the first packet of a stream... )
Avatar of Wisdown

ASKER

Sorry for the delay on answer, was traveling...

I checked my homeserver, and noticed the service was runing, the "problem" was hapenning when i tried access the domains from my local network, i know i can access they adding each domain on my hosts file, but there another way?

Trying access using my connection (the one with static ip) i get stuck in a loop and then timeout. If i use other connection, the domains are fine...
then you most probably need to setup your DNS servers correctly,
In unix/linux you need to setup the /etc/resolv.conf file.
you need to know the ip addresses of your DNS servers. [ given by your ISP ].

they need to be addes to the /etc/resolv.conf as:

nameserver ip.ad.dr.ess

Each on a separate line.
Avatar of Wisdown

ASKER

I give up try set the debian and did an try on pfsense...
Answering the questions of intaller using from my previous setup, everything is working now...

Dunno what the setup did, but at least i get this up finally.
Thanks for try help anyway.