I've implemented Wade's suggested script changes, and am able to browse the web fine, and access the web server from my internal workstation (via the local IP address, or the external IP address). However, I cannot access the webserver from an external computer (i.e. not on my LAN). I tried accessing it by IP address only - I'm still having some issues with name resolution, and DNS (looks like nsupdate might help - needs more study though).
Wade - Thanks for the SNAT tips - much faster response times from the router now. I'm posting my firewall script here for anyone to comment on, and possibly offer suggestions on how to allow external access to my web server. Note: I have the default policy for the FORWARD chain set to ACCEPT for testing/debugging purposes. When I'm sure everything is working the way I want it, I'll change this to drop and change my script accordingly. The script was kludged together from various sources (including Wade), and my own findings from researching IPTables and IP Forwarding. Thanks for the help and support! Shawn My firewall script: ----------------------------------------------- #!/bin/bash echo -e "[ Loading Firewall ]" #Set Variables IPT=/sbin/iptables DEPMOD=/sbin/depmod INSMOD=/sbin/insmod EXTIF="eth0" INTIF="eth1" EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`" INTIP="192.168.0.1" SRVIP="192.168.0.15" INTNET="192.168.0.0/24" echo "****************************************" echo "External Interface: $EXTIF" echo "Internal Interface: $INTIF" echo "IP Addresses:" echo " Internal: $INTIP" echo " External: $EXTIP" echo " Server: $SRVIP" echo " Local Net: $INTNET" echo "****************************************" #Load Modules echo "Verifying Modules..." $DEPMOD -a echo "Loading Modules:" $INSMOD ip_tables $INSMOD ip_conntrack $INSMOD ip_conntrack_ftp $INSMOD iptable_nat $INSMOD ip_nat_ftp echo "Enabling Forwarding..." echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_dynaddr echo "Setting default policy and flushing..." $IPT -F $IPT -P INPUT ACCEPT $IPT -F INPUT $IPT -P OUTPUT ACCEPT $IPT -F OUTPUT $IPT -P FORWARD ACCEPT $IPT -F FORWARD $IPT -t nat -F $IPT --delete-chain $IPT -t nat --delete-chain echo "Allowing connections out, and established or related in..." #NOTE: this block of code does not work, and is no longer needed. #$IPT -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT #$IPT -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT #$IPT -A FORWARD -j LOG #$IPT -t nat -A POSTROUTING -o $EXTIF -s 192.168.0.20/32 -j MASQUERADE #$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE #$IPT -A FORWARD -i $INTIF -j ACCEPT echo "Enabling Masquerading..." ################### # SNAT ################### #internal to external connections get the external ip as their source $IPT -t nat -A POSTROUTING -s $INTNET -o $EXTIF -j SNAT --to $EXTIP #if an internal to internal request, DNAT to firewall's internal ip $IPT -t nat -A POSTROUTING -s $INTNET -o $INTIF -d $SRVIP -j SNAT --to $INTIP ################### # DNAT ################### #if an internal to external request, DNAT to server's ip $IPT -t nat -A PREROUTING -s $INTNET -i $INTIF -d $EXTIP -j DNAT --to $SRVIP #DNAT external incoming requests for web, mail, or ftp. $IPT -t nat -A PREROUTING -p tcp --dport 80 -i $EXTIF -j DNAT --to $SRVIP $IPT -t nat -A PREROUTING -p tcp --dport 21 -i $EXTIF -j DNAT --to $SRVIP $IPT -t nat -A PREROUTING -p tcp --dport 25 -i $EXTIF -j DNAT --to $SRVIP echo "[COMPLETE]"
