iptables; allowing external web access to 192.168.0.1; how?

01-09-2004, 05:34 PM

My 10 Mb limit allowed by my ISP will shortly hit the wall and I would
like to continue publish new documents on my personal firewall...

Fact: From my browser, the URL http://209.226.149.235/ (my system, as of
now) show the Apache page. (httpd runs) However, nobody outside can see
this page.

Question: Is it because of my ISP or because of my iptables script,
included below? What can I do to correct and allow access?

Thanks
Gaetan

1 #!/bin/sh
2 # Script recueillit et adapte de
3 # http://www.linuxguruz.com/iptables/s...rewall_024.txt
4 INSMOD=/sbin/insmod
5 IPTABLES=/sbin/iptables
6
7 # Devices externes et interne
8 dev_extern="ppp0"
9 dev_intern="eth1"
10
11 # IP interne du pare-feu
12 addr_int=192.168.0.3
13
14 # Reseau de la maison
15 net_int=192.168.0.0/24
16
17
#-------------------------------------------------------------------------------
18 # Modules a charger
19 $INSMOD ip_tables
20 $INSMOD ip_conntrack
21 $INSMOD ip_conntrack_ftp
22 $INSMOD ipt_state
23 $INSMOD iptable_nat
24 $INSMOD ipt_MASQUERADE
25
26
#-------------------------------------------------------------------------------
27 # Flush de toutes les regles
28 $IPTABLES -F
29
30
#-------------------------------------------------------------------------------
31 # Definition de nouvelles chaines
32 $IPTABLES -N BLOCK
33
34
#-------------------------------------------------------------------------------
35 $IPTABLES -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT
36 $IPTABLES -A BLOCK -m state --state NEW -i ! $dev_extern -j ACCEPT
37 $IPTABLES -A BLOCK -j DROP
38
39 $IPTABLES -A INPUT -j BLOCK
40 $IPTABLES -A FORWARD -j BLOCK
41
42
#-------------------------------------------------------------------------------
43 # NAT
44 $IPTABLES -A POSTROUTING -t nat -o $dev_extern -j MASQUERADE -s
$net_int
45 echo 1 > /proc/sys/net/ipv4/ip_forward
46

01-09-2004, 07:48 PM

Gaétan wrote:
> My 10 Mb limit allowed by my ISP will shortly hit the wall and I would
> like to continue publish new documents on my personal firewall...
>
> Fact: From my browser, the URL http://209.226.149.235/ (my system, as of
> now) show the Apache page. (httpd runs) However, nobody outside can see
> this page.
>
> Question: Is it because of my ISP or because of my iptables script,
> included below? What can I do to correct and allow access?
>
> Thanks
> Gaetan
>
> 1 #!/bin/sh
> 2 # Script recueillit et adapte de
> 3 # http://www.linuxguruz.com/iptables/s...rewall_024.txt
> 4 INSMOD=/sbin/insmod
> 5 IPTABLES=/sbin/iptables
> 6
> 7 # Devices externes et interne
> 8 dev_extern="ppp0"
> 9 dev_intern="eth1"
> 10
> 11 # IP interne du pare-feu
> 12 addr_int=192.168.0.3
> 13
> 14 # Reseau de la maison
> 15 net_int=192.168.0.0/24
> 16
> 17
> #-------------------------------------------------------------------------------
>
> 18 # Modules a charger
> 19 $INSMOD ip_tables
> 20 $INSMOD ip_conntrack
> 21 $INSMOD ip_conntrack_ftp
> 22 $INSMOD ipt_state
> 23 $INSMOD iptable_nat
> 24 $INSMOD ipt_MASQUERADE
> 25
> 26
> #-------------------------------------------------------------------------------
>
> 27 # Flush de toutes les regles
> 28 $IPTABLES -F
> 29
> 30
> #-------------------------------------------------------------------------------
>
> 31 # Definition de nouvelles chaines
> 32 $IPTABLES -N BLOCK
> 33
> 34
> #-------------------------------------------------------------------------------
>
> 35 $IPTABLES -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT
> 36 $IPTABLES -A BLOCK -m state --state NEW -i ! $dev_extern -j ACCEPT
> 37 $IPTABLES -A BLOCK -j DROP
> 38
> 39 $IPTABLES -A INPUT -j BLOCK
> 40 $IPTABLES -A FORWARD -j BLOCK
> 41
> 42
> #-------------------------------------------------------------------------------
>
> 43 # NAT
> 44 $IPTABLES -A POSTROUTING -t nat -o $dev_extern -j MASQUERADE -s
> $net_int
> 45 echo 1 > /proc/sys/net/ipv4/ip_forward
> 46
>

who is your isp?

01-09-2004, 08:40 PM

Gaétan Martineau wrote:
> My 10 Mb limit allowed by my ISP will shortly hit the wall and I would
> like to continue publish new documents on my personal firewall...
>
> Fact: From my browser, the URL http://209.226.149.235/ (my system, as of
> now) show the Apache page. (httpd runs) However, nobody outside can see
> this page.
>
> Question: Is it because of my ISP or because of my iptables script,
> included below? What can I do to correct and allow access?

Where did You get that script (below) from? --

In essence, You _need_ to allow the world to access $YOUR_IP:80 in
order to connect to Your webserver.

In that script below, You don't grant that access.

[I snipped that one because You have it in a different thread, already.]

> 27 # Flush de toutes les regles
> 28 $IPTABLES -F

> 31 # Definition de nouvelles chaines
> 32 $IPTABLES -N BLOCK

> 36 $IPTABLES -A BLOCK -m state --state NEW -i ! $dev_extern -j ACCEPT
> 37 $IPTABLES -A BLOCK -j DROP
> 38
> 39 $IPTABLES -A INPUT -j BLOCK

Your line 36 is ok - as long as You only want to initiate connections
from the inside. If anybody wants to access Your server from the out-
side (like for "HTTP GET"ting Your documents), they are literally
"BLOCK"ed in Your BLOCK chain (i. e. DROPped).

So, by inserting a rule like in line 36.1/2, You could
"$IPTABLES -A BLOCK -p tcp --dport 80 -j ACCEPT"
(again, I am no syntax guru, but I'm selling the concept. - Please
refer to the man-pages to insert a rule that will accept global
access to port 80 of Your "personal firewall" box...).

Even if this doesn't do the trick for You _yet_, I hope that You can
get the concept of what I'm saying and start off from there.

Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

01-09-2004, 08:43 PM

Carl wrote:
> Gaétan wrote:
>
[snip]
>> Fact: From my browser, the URL http://209.226.149.235/ (my system, as
>> of now) show the Apache page. (httpd runs) However, nobody outside can
>> see this page.
>>
>> Question: Is it because of my ISP or because of my iptables script,
>> included below? What can I do to correct and allow access?
>>

[script snipped]

>
> who is your isp?
>

It is www.mediom.com

You can tell something just from that? (and how?)

Thanks

Gaetan

01-09-2004, 11:51 PM

> Your line 36 is ok - as long as You only want to initiate connections
> from the inside. If anybody wants to access Your server from the out-
> side (like for "HTTP GET"ting Your documents), they are literally
> "BLOCK"ed in Your BLOCK chain (i. e. DROPped).
>
> So, by inserting a rule like in line 36.1/2, You could
> "$IPTABLES -A BLOCK -p tcp --dport 80 -j ACCEPT"

[snip]

Yeah, that's it.

Thanks Jack!

Gaetan

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
iptables - allowing connection from a disallowed address	Mark Hobley	Linux Networking	4	05-22-2009 08:08 PM
iptables: allowing only listed hosts to connect to a port	Mark Hobley	Linux Networking	15	07-05-2008 10:08 AM
Allowing a given port to only be access by a given application	nathanjlaw@yahoo.com	Windows Networking	2	06-18-2008 11:17 PM
iptables - opening an inbound port but allowing access to all machines outbound	Allan M. Bruce	Linux Networking	1	06-12-2006 08:18 AM
iptables, and allowing hosting through on captive portal ?	Ian White	Linux Networking	0	05-20-2004 08:20 PM