Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

DNS/ FTP/ EMAIL/ WWW behind IPTABLES firewall

2 views
Skip to first unread message

David Christman

unread,
Apr 1, 2002, 12:34:24 AM4/1/02
to
I am using the simple firewall example provided by david Ranch found
at http://www.linuxdoc.org/howto/ip-masquerade-howto/index.html

I have successfully setup up client computers with internet access
behind the RedHat 7.2 kernel 2.4.x firewall... but this is where the
instructions stop

I need to port forward incomming DNS, ftp, www, etc to an internal
IP.... I have tried several examples from google searches, but
nothing seems to work. Any help would be greatly appreciated.

Gratefully,
David T. Christman

Jonathan De Graeve

unread,
Apr 4, 2002, 5:54:02 AM4/4/02
to
You don't mention what to which ip's there must be forwarding.

Please send the whole situation or nobody can help you
"David Christman" <da...@christmantech.com> schreef in bericht
news:a72859da.02033...@posting.google.com...

David Christman

unread,
Apr 4, 2002, 12:09:00 PM4/4/02
to
Janathan...


Internal computer 1 (ip 192.168.0.1) sends a request for
www.myurl.com.

The DNS server for www.myurl.com (registered) is on internal computer
2 (ip 192.168.0.2)... Internet requests to www.myurl.com come in on
xxx.xxx.xxx.xxx (my public ip). My problem is that internal computers
don't get the page.

I don't see why the specific IP configuration makes any diffenence.
I'm using class C ip's for my internal LAN.

Please explain!

Please don't be a prick.

Thanks

"Jonathan De Graeve" <jona...@esstec.be> wrote in message news:<ddbh8a...@jonathan.esstec.be>...

Jonathan De Graeve

unread,
Apr 5, 2002, 12:27:39 PM4/5/02
to
You don't explain if your network is masqueraded or not (USING NAT)

You even don't mention if your http server is using virtual hosting or not.

I tried a dig on myurl.com and it does not respond.

Problem probably is that your computers will go to your url of your
external ip.

But your router will forward the requests to the correct http server in
your lan. The router wan't allow redirection from inside the lan back
inside the lan (don't shoot my, but I tried it and it won't work)

You should make an DNS entry on your internal network with the zsone
myurl.com and the correct ip's that are valid inside your lan.
So people outside will use the dns from your provider and your intranet
will use your own DNS servers, avoiding the errors from redirection.

You didn't supply enough information how your network is structured.
(Which machine hosts the http, dns is on 192.168.0.2 (wich entry's in
your DNS server? etc)

David Christman

unread,
Apr 6, 2002, 8:30:56 AM4/6/02
to
Well... After a week of research I found the answer.

#allows incoming traffic destined for incoming computer
$IPTABLES -A INPUT -i $INTIF -p tcp --dport 80 -m state --state \
NEW,ESTABLISHED,RELATED -j ACCEPT
#Routes traffic going to public ip port 80 to internal server(INTSVR)
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to \
$INTSVR:80
#Allows forwarding between internal interfaces
$IPTABLES -A FORWARD -i $INTIF -o $INTIF -p tcp --dport 80 -m state --state \
NEW,ESTABLISHED,RELATED -j ACCEPT
#Changes the source IP so the traffic can go back across internal interface
$IPTABLES -t nat -A POSTROUTING -o $INTIF -j SNAT --to $INTIP
#Allows the reply from the server back to the internal client
$IPTABLES -A FORWARD -i $INTIF -o $INTIF -j ACCEPT


Jonathan De Graeve <jona...@esstec.be> wrote in message news:<3CADDE8...@esstec.be>...

0 new messages