Linux firewall forwarding problem

Hi,

I am pretty new to linux. I am trying to get a firewall setup to
protect an internal network with that includes a webserver. I am using
Firestarter, and currently everything seems to work ok, accessing the
internal network from the firewall box or the outside world. (I guess
that means the internal network can access other clients on it and the
outside world ok).

The problem I have having is getting external traffic or traffic from
the firewall box itself to find the webserver. I set up a forwarding
rule on port 80 to 192.168.100.253 port 80 (the webserver), but for
some reason it isn't working. I've checked it out with Ethereal, and
for some reason it is looking for the web server on the outside
interface (when I use the private address in my browser on the firewall
machine). This seems especially strange since I can ping the webserver
using its private address on the firewall machine, and that works fine.

What can I do to get the webserver to work from the outside?

Thanks,
Andy

Here is some more information...

ifconfig

eth0 Link encap:Ethernet HWaddr 00:0E:0C:37:BB:CE
inet addr:129.186.215.213 Bcast:129.186.215.223
Mask:255.255.255.224 UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1
RX packets:86255 errors:0 dropped:0 overruns:0 frame:0
TX packets:7468 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:37892492 (36.1 Mb) TX bytes:796082 (777.4 Kb)
Base address:0x9000 Memory:f2000000-f2020000

eth2 Link encap:Ethernet HWaddr 00:30:48:72:2F:EF
inet addr:192.168.100.254 Bcast:192.168.100.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:119 errors:0 dropped:0 overruns:0 frame:0
TX packets:124 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15826 (15.4 Kb) TX bytes:30002 (29.2 Kb)
Base address:0xa000 Memory:f2060000-f2080000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10014 errors:0 dropped:0 overruns:0 frame:0
TX packets:10014 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:924974 (903.2 Kb) TX bytes:924974 (903.2 Kb)


route -n

Destination Gateway Genmask Flags Metric Ref Use
Iface
129.186.215.192 0.0.0.0 255.255.255.224 U 0 0 0
eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0
eth2
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth2
0.0.0.0 129.186.215.222 0.0.0.0 UG 0 0 0
eth0


iptables --list

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- ns-1.iastate.edu anywhere tcp
flags:!SYN,RST,ACK/SYN
ACCEPT udp -- ns-1.iastate.edu anywhere
ACCEPT tcp -- romulan.ece.iastate.edu anywhere tcp
flags:!SYN,RST,ACK/SYN
ACCEPT udp -- romulan.ece.iastate.edu anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere 129.186.215.192/27 limit: avg
10/sec burst 5
LD all -- anywhere anywhere state
INVALID
LD all -f anywhere anywhere limit: avg
10/min burst 5
ACCEPT all -- 192.168.100.0/24 anywhere
NR all -- !129.186.215.192/27 anywhere
LD tcp -- anywhere 129.186.215.192/27 tcp
dpt:31337 limit: avg 2/min burst 5
LD udp -- anywhere 129.186.215.192/27 udp
dpt:31337 limit: avg 2/min burst 5
LD tcp -- anywhere 129.186.215.192/27 tcp
dpt:33270 limit: avg 2/min burst 5
LD udp -- anywhere 129.186.215.192/27 udp
dpt:33270 limit: avg 2/min burst 5
LD tcp -- anywhere 129.186.215.192/27 tcp
dpt:1234 limit: avg 2/min burst 5
LD tcp -- anywhere 129.186.215.192/27 tcp
dpt:6711 limit: avg 2/min burst 5
LD tcp -- anywhere 129.186.215.192/27 tcp
dpt:16660 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- anywhere 129.186.215.192/27 tcp
dpt:60001 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- anywhere 129.186.215.192/27 tcp
dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- anywhere 129.186.215.192/27 udp
dpts:12345:12346 limit: avg 2/min burst 5
LD tcp -- anywhere 129.186.215.192/27 tcp dpt:135
limit: avg 2/min burst 5
LD udp -- anywhere 129.186.215.192/27 udp dpt:135
limit: avg 2/min burst 5
LD tcp -- anywhere 129.186.215.192/27 tcp
dpt:ingreslock limit: avg 2/min burst 5
LD tcp -- anywhere 129.186.215.192/27 tcp
dpt:27665 limit: avg 2/min burst 5
LD udp -- anywhere 129.186.215.192/27 udp
dpt:27444 limit: avg 2/min burst 5
LD udp -- anywhere 129.186.215.192/27 udp
dpt:31335 limit: avg 2/min burst 5
LD all -- BASE-ADDRESS.MCAST.NET/8 anywhere
LD all -- anywhere BASE-ADDRESS.MCAST.NET/8
LD all -- 255.255.255.255 anywhere
LD all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state
INVALID
LD all -f anywhere anywhere limit: avg
10/min burst 5
LD tcp -- anywhere anywhere tcp
flags:!SYN,RST,ACK/SYN state NEW
STATE tcp -- anywhere 129.186.215.192/27 tcp
dpts:1024:65535
ACCEPT udp -- anywhere 129.186.215.192/27 udp
dpts:1023:65535
LD all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- 192.168.100.0/24 anywhere
ACCEPT all -- anywhere 192.168.100.0/24

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.100.0/24 anywhere
ACCEPT icmp -- 192.168.100.0/24 anywhere
LD tcp -- 129.186.215.192/27 anywhere tcp
dpt:31337 limit: avg 2/min burst 5
LD udp -- 129.186.215.192/27 anywhere udp
dpt:31337 limit: avg 2/min burst 5
LD tcp -- 129.186.215.192/27 anywhere tcp
dpt:33270 limit: avg 2/min burst 5
LD udp -- 129.186.215.192/27 anywhere udp
dpt:33270 limit: avg 2/min burst 5
LD tcp -- 129.186.215.192/27 anywhere tcp
dpt:1234 limit: avg 2/min burst 5
LD tcp -- 129.186.215.192/27 anywhere tcp
dpt:6711 limit: avg 2/min burst 5
LD tcp -- 129.186.215.192/27 anywhere tcp
dpt:16660 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- 129.186.215.192/27 anywhere tcp
dpt:60001 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- 129.186.215.192/27 anywhere tcp
dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- 129.186.215.192/27 anywhere udp
dpts:12345:12346 limit: avg 2/min burst 5
LD tcp -- 129.186.215.192/27 anywhere tcp dpt:135
limit: avg 2/min burst 5
LD udp -- 129.186.215.192/27 anywhere udp dpt:135
limit: avg 2/min burst 5
LD tcp -- 129.186.215.192/27 anywhere tcp
dpt:ingreslock limit: avg 2/min burst 5
LD tcp -- 129.186.215.192/27 anywhere tcp
dpt:27665 limit: avg 2/min burst 5
LD udp -- 129.186.215.192/27 anywhere udp
dpt:27444 limit: avg 2/min burst 5
LD udp -- 129.186.215.192/27 anywhere udp
dpt:31335 limit: avg 2/min burst 5
LD all -- BASE-ADDRESS.MCAST.NET/8 anywhere
LD all -- anywhere BASE-ADDRESS.MCAST.NET/8
LD all -- 255.255.255.255 anywhere
LD all -- anywhere 0.0.0.0
DROP tcp -- anywhere anywhere tcp
flags:!SYN,RST,ACK/SYN state NEW
DROP all -- anywhere anywhere state
INVALID
all -- anywhere anywhere TTL match
TTL == 64
ACCEPT icmp -- 129.186.215.192/27 anywhere
ACCEPT all -- anywhere anywhere

Chain LD (139 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info
DROP all -- anywhere anywhere

Chain NR (1 references)
target prot opt source destination
LD all -- 0.0.0.0/8 129.186.215.192/27
LD all -- 1.0.0.0/8 129.186.215.192/27
LD all -- 2.0.0.0/8 129.186.215.192/27
LD all -- 5.0.0.0/8 129.186.215.192/27
LD all -- 7.0.0.0/8 129.186.215.192/27
LD all -- 10.0.0.0/8 129.186.215.192/27
LD all -- 23.0.0.0/8 129.186.215.192/27
LD all -- 27.0.0.0/8 129.186.215.192/27
LD all -- 31.0.0.0/8 129.186.215.192/27
LD all -- 36.0.0.0/8 129.186.215.192/27
LD all -- 37.0.0.0/8 129.186.215.192/27
LD all -- 39.0.0.0/8 129.186.215.192/27
LD all -- 41.0.0.0/8 129.186.215.192/27
LD all -- 42.0.0.0/8 129.186.215.192/27
LD all -- 49.0.0.0/8 129.186.215.192/27
LD all -- 50.0.0.0/8 129.186.215.192/27
LD all -- ppp-net.infoweb.ne.jp/8 129.186.215.192/27
LD all -- 59.0.0.0/8 129.186.215.192/27
LD all -- 71.0.0.0/8 129.186.215.192/27
LD all -- 72.0.0.0/8 129.186.215.192/27
LD all -- 73.0.0.0/8 129.186.215.192/27
LD all -- 74.0.0.0/8 129.186.215.192/27
LD all -- 75.0.0.0/8 129.186.215.192/27
LD all -- 76.0.0.0/8 129.186.215.192/27
LD all -- 77.0.0.0/8 129.186.215.192/27
LD all -- 78.0.0.0/8 129.186.215.192/27
LD all -- 79.0.0.0/8 129.186.215.192/27
LD all -- 89.0.0.0/8 129.186.215.192/27
LD all -- 90.0.0.0/8 129.186.215.192/27
LD all -- 91.0.0.0/8 129.186.215.192/27
LD all -- 92.0.0.0/8 129.186.215.192/27
LD all -- 93.0.0.0/8 129.186.215.192/27
LD all -- 94.0.0.0/8 129.186.215.192/27
LD all -- 95.0.0.0/8 129.186.215.192/27
LD all -- 96.0.0.0/8 129.186.215.192/27
LD all -- 97.0.0.0/8 129.186.215.192/27
LD all -- 98.0.0.0/8 129.186.215.192/27
LD all -- 99.0.0.0/8 129.186.215.192/27
LD all -- 100.0.0.0/8 129.186.215.192/27
LD all -- 101.0.0.0/8 129.186.215.192/27
LD all -- 102.0.0.0/8 129.186.215.192/27
LD all -- 103.0.0.0/8 129.186.215.192/27
LD all -- 104.0.0.0/8 129.186.215.192/27
LD all -- 105.0.0.0/8 129.186.215.192/27
LD all -- 106.0.0.0/8 129.186.215.192/27
LD all -- 107.0.0.0/8 129.186.215.192/27
LD all -- 108.0.0.0/8 129.186.215.192/27
LD all -- 109.0.0.0/8 129.186.215.192/27
LD all -- 110.0.0.0/8 129.186.215.192/27
LD all -- 111.0.0.0/8 129.186.215.192/27
LD all -- 112.0.0.0/8 129.186.215.192/27
LD all -- 113.0.0.0/8 129.186.215.192/27
LD all -- 114.0.0.0/8 129.186.215.192/27
LD all -- 115.0.0.0/8 129.186.215.192/27
LD all -- 116.0.0.0/8 129.186.215.192/27
LD all -- 117.0.0.0/8 129.186.215.192/27
LD all -- 118.0.0.0/8 129.186.215.192/27
LD all -- 119.0.0.0/8 129.186.215.192/27
LD all -- 120.0.0.0/8 129.186.215.192/27
LD all -- 121.0.0.0/8 129.186.215.192/27
LD all -- 122.0.0.0/8 129.186.215.192/27
LD all -- 123.0.0.0/8 129.186.215.192/27
LD all -- 124.0.0.0/8 129.186.215.192/27
LD all -- ppp-net.infoweb.ne.jp/8 129.186.215.192/27
LD all -- YahooBB126000000000.bbtec.net/8 129.186.215.192/27
LD all -- 127.0.0.0/8 129.186.215.192/27
LD all -- 169.254.0.0/16 129.186.215.192/27
LD all -- 172.16.0.0/12 129.186.215.192/27
LD all -- 173.0.0.0/8 129.186.215.192/27
LD all -- 174.0.0.0/8 129.186.215.192/27
LD all -- 175.0.0.0/8 129.186.215.192/27
LD all -- 176.0.0.0/8 129.186.215.192/27
LD all -- 177.0.0.0/8 129.186.215.192/27
LD all -- 178.0.0.0/8 129.186.215.192/27
LD all -- 179.0.0.0/8 129.186.215.192/27
LD all -- 180.0.0.0/8 129.186.215.192/27
LD all -- 181.0.0.0/8 129.186.215.192/27
LD all -- 182.0.0.0/8 129.186.215.192/27
LD all -- 183.0.0.0/8 129.186.215.192/27
LD all -- 184.0.0.0/8 129.186.215.192/27
LD all -- 185.0.0.0/8 129.186.215.192/27
LD all -- 186.0.0.0/8 129.186.215.192/27
LD all -- 187.0.0.0/8 129.186.215.192/27
LD all -- 189.0.0.0/8 129.186.215.192/27
LD all -- 190.0.0.0/8 129.186.215.192/27
LD all -- 192.0.2.0/24 129.186.215.192/27
LD all -- 192.168.0.0/16 129.186.215.192/27
LD all -- 197.0.0.0/8 129.186.215.192/27
LD all -- 198.18.0.0/15 129.186.215.192/27
LD all -- 223.0.0.0/8 129.186.215.192/27
LD all -- BASE-ADDRESS.MCAST.NET/3 129.186.215.192/27

Chain SANITY (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp
flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
LD all -- anywhere anywhere

Chain STATE (1 references)
target prot opt source destination
LD all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
LD all -- anywhere anywhere

What is the output of
iptables --list -t nat
?




ahoernec wrote:
> Hi,
>
> I am pretty new to linux. I am trying to get a firewall setup to
> protect an internal network with that includes a webserver. I am using
> Firestarter, and currently everything seems to work ok, accessing the
> internal network from the firewall box or the outside world. (I guess
> that means the internal network can access other clients on it and the
> outside world ok).
>
> The problem I have having is getting external traffic or traffic from
> the firewall box itself to find the webserver. I set up a forwarding
> rule on port 80 to 192.168.100.253 port 80 (the webserver), but for
> some reason it isn't working. I've checked it out with Ethereal, and
> for some reason it is looking for the web server on the outside
> interface (when I use the private address in my browser on the firewall
> machine). This seems especially strange since I can ping the webserver
> using its private address on the firewall machine, and that works fine.
>
> What can I do to get the webserver to work from the outside?
>
> Thanks,
> Andy
>
> Here is some more information...
>
> ....

This is the iptables --list -t nat

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 129.186.215.192/27 tcp
dpt:http to:192.168.100.253:80
DNAT udp -- anywhere 129.186.215.192/27 udp
dpt:http to:192.168.100.253:80


Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
ACCEPT all -- 129.186.215.192/27 anywhere


Chain OUTPUT (policy ACCEPT)
target prot opt source destination

okay,

I also have portforwarding on my router to an internal webserver. The only
difference in my setting is, that I have no port written behind the server
ip.
I have not
DNAT tcp -- anywhere anywhere tcp dpt:http to:192.168.x.x:80
only:
DNAT tcp -- anywhere anywhere tcp dpt:http to:192.168.x.x

So how do you set the forwarding?
What the iptables command to set it?
iptables -A PREROUTING -t nat ..... ???





ahoernec wrote:
> This is the iptables --list -t nat
>
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- anywhere 129.186.215.192/27 tcp
> dpt:http to:192.168.100.253:80
> DNAT udp -- anywhere 129.186.215.192/27 udp
> dpt:http to:192.168.100.253:80
>
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> MASQUERADE all -- anywhere anywhere
> ACCEPT all -- 129.186.215.192/27 anywhere
>
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination

Just FYI, I found out I was using an older version of the Firestarter
program. I decided to update and the problems went away.

Thanks for all the help!