DNAT, Fedora, IPTABLES (very basic!) Help...

This is driving me nuts... I've read all the posts that I can find
about DNAT and IPTABLES; I've had very informative replies on how to set
this up and it's still cauing me issues. Here goes:

FIREWALL EXT INTERFACE: 65.222.35.249
FIREWALL INT INTERFACE: 192.168.0.248
WEB HOST: 192.168.0.5

The root of the problem is that I need to OPEN port 80 on the Firewall
external interface. The only way that I have found to do this is to
start Apache; but then the requests are not forwarded to the internal
webserver.

I have a Linksys router at home that is doing this exact thing; NOW when
I run nmap on my machine at home, it shows port 80 open and the
request is forwarded correctly but on my test machine when I do nmap
it only shows the port open if Apache is running on the firewall
server.

I'm using webmin to setup the rules:
"accept protocol TCP and destination port 80 and state new" above that
is a rule
"accept if state is related or established"
then I have DNAT rules setup
"accept if protocol is tcp and input interface is eth0 (external
interface) destination is 80"

What do I need to do to open port 80 without using Apache on the firewall?

Thanks!

On Wed, 21 Apr 2004 11:18:57 -0400
Paco Jones <(E-Mail Removed)> wrote:

> This is driving me nuts... I've read all the posts that I can find
> about DNAT and IPTABLES; I've had very informative replies on how to set
> this up and it's still cauing me issues. Here goes:
>
> FIREWALL EXT INTERFACE: 65.222.35.249
> FIREWALL INT INTERFACE: 192.168.0.248
> WEB HOST: 192.168.0.5
>
> The root of the problem is that I need to OPEN port 80 on the Firewall
> external interface. The only way that I have found to do this is to
> start Apache; but then the requests are not forwarded to the internal
> webserver.
>
> I have a Linksys router at home that is doing this exact thing; NOW when
> I run nmap on my machine at home, it shows port 80 open and the
> request is forwarded correctly but on my test machine when I do nmap
> it only shows the port open if Apache is running on the firewall
> server.
>
> I'm using webmin to setup the rules:
> "accept protocol TCP and destination port 80 and state new" above that
> is a rule
> "accept if state is related or established"
> then I have DNAT rules setup
> "accept if protocol is tcp and input interface is eth0 (external
> interface) destination is 80"
>
> What do I need to do to open port 80 without using Apache on the firewall?

First check if the webserver is running and listening on port 80. Then you can check from the outside, if the port
is open. If the firewall is setup right, the packets are forwarded to the webserver, but if the webserver is not
running, the port on the webserver is closed. From the outside, you can't see the difference between closed port on the firewall or closed port on the server behind if using DNAT

Greets
Chris

Christoph Scheurer wrote:

> On Wed, 21 Apr 2004 11:18:57 -0400
> Paco Jones <(E-Mail Removed)> wrote:
>
>
>>This is driving me nuts... I've read all the posts that I can find
>>about DNAT and IPTABLES; I've had very informative replies on how to set
>>this up and it's still cauing me issues. Here goes:
>>
>>FIREWALL EXT INTERFACE: 65.222.35.249
>>FIREWALL INT INTERFACE: 192.168.0.248
>>WEB HOST: 192.168.0.5
>>
>>The root of the problem is that I need to OPEN port 80 on the Firewall
>>external interface. The only way that I have found to do this is to
>>start Apache; but then the requests are not forwarded to the internal
>>webserver.
>>
>>I have a Linksys router at home that is doing this exact thing; NOW when
>>I run nmap on my machine at home, it shows port 80 open and the
>>request is forwarded correctly but on my test machine when I do nmap
>> it only shows the port open if Apache is running on the firewall
>>server.
>>
>>I'm using webmin to setup the rules:
>> "accept protocol TCP and destination port 80 and state new" above that
>>is a rule
>> "accept if state is related or established"
>>then I have DNAT rules setup
>> "accept if protocol is tcp and input interface is eth0 (external
>>interface) destination is 80"
>>
>>What do I need to do to open port 80 without using Apache on the firewall?
>
>
> First check if the webserver is running and listening on port 80. Then you can check from the outside, if the port
> is open. If the firewall is setup right, the packets are forwarded to the webserver, but if the webserver is not
> running, the port on the webserver is closed. From the outside, you can't see the difference between closed port on the firewall or closed port on the server behind if using DNAT
>
> Greets
> Chris

Sorry I should have clarified - the port (80) on the firewall is closed
- port 80 on the webserver is open (and working when I go directly).
I'm thinking that with an accept rule for TCP on port 80 that the port
should show as open on the firewall; right??

On Wed, 21 Apr 2004 12:40:36 -0400
Paco Jones <(E-Mail Removed)> wrote:

>
> Sorry I should have clarified - the port (80) on the firewall is
> closed - port 80 on the webserver is open (and working when I go
> directly). I'm thinking that with an accept rule for TCP on port
> 80 that the port should show as open on the firewall; right??
>
>
Right, but make sure to forward the port with DNAT, else it will
show closed, since there is no service listening on port 80 on the
firewall.

iptables -t nat -A PREROUTING -p tcp --dport 80 -i $ext_if -j DNAT --to-destination $webserver_ip

should do the job.

The words with a leading '$' you need to change to your need.

Greets
Chris

> Right, but make sure to forward the port with DNAT, else it will
> show closed, since there is no service listening on port 80 on the
> firewall.
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -i $ext_if -j DNAT --to-destination $webserver_ip
>
> should do the job.
>
> The words with a leading '$' you need to change to your need.
>
> Greets
> Chris

Due to an imposibly stupid setup (not my fault!) this wasn't working. I
finally started forwarding to 3389 which worked :-) But something to
note is that forwarding to apache VIRTUAL HOSTS doesn't work (at least
not with a default iptables setup) from what I can tell. Below is what
I ended up using, and it's working fine!

56 iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT /
--to-destination 192.168.1.25:3389
71 iptables -t nat -A PREROUTING -p udp --dport 3389 -j DNAT /
--to-destination 192.168.1.25:3389
63 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
64 echo 1 > /proc/sys/net/ipv4/ip_forward
65 echo 1 > /proc/sys/net/ipv4/ip_dynaddr
67 lokkit
68 service iptables status