Chris, I don't know iptables, but I had a similar problem using ipchains and ipmasqadm. It turned out that my ISP was blocking port 80. You may want to check up on this.
Roger On Sun, 16 Sep 2001, Chris Sanner [Hitchhiker] wrote: > I've got a home network that I want to use in several ways. > a) I want my internal computers to be able to use the gateway interface to get > out to the internet, and > b) I only want ssh and http requests back in. > > the catch is I want the http requests forwarded to the internal IP > 192.168.42.10 > and not the gateway. somehow, this doesn't work when I try to set it up > from the howto's and documentation I've found... > > here are my rules so far (without the full functionality I want. This is just > for internal stuff getting out to the 'net, and nothing but ssh getting in): > hex:/home/csanner# iptables -L > Chain INPUT (policy DROP) > target prot opt source destination > icmp_packets icmp -- anywhere anywhere > tcp_packets tcp -- anywhere anywhere > udpincoming_packets udp -- anywhere anywhere > ACCEPT all -- anywhere 192.168.42.255 > ACCEPT all -- anywhere localhost > ACCEPT all -- anywhere hex > ACCEPT all -- anywhere cj4042-a.manss1.va.home.comstate > RELATED,ESTABLISHED > LOG all -- anywhere anywhere limit: avg 3/min > burst 3 LOG level debug prefix `IPT INPUT packet died: ' > > Chain FORWARD (policy DROP) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > LOG all -- anywhere anywhere limit: avg 3/min > burst 3 LOG level debug prefix `IPT FORWARD packet died: ' > > Chain OUTPUT (policy DROP) > target prot opt source destination > ACCEPT all -- localhost anywhere > ACCEPT all -- hex anywhere > ACCEPT all -- cj4042-a.manss1.va.home.com anywhere > LOG all -- anywhere anywhere limit: avg 3/min > burst 3 LOG level debug prefix `IPT OUTPUT packet died: ' > > Chain allowed (3 references) > target prot opt source destination > ACCEPT tcp -- anywhere anywhere tcp > flags:SYN,RST,ACK/SYN > ACCEPT tcp -- anywhere anywhere state > RELATED,ESTABLISHED > DROP tcp -- anywhere anywhere > > Chain icmp_packets (1 references) > target prot opt source destination > ACCEPT icmp -- anywhere anywhere icmp echo-reply > ACCEPT icmp -- anywhere anywhere icmp > destination-unreachable > ACCEPT icmp -- anywhere anywhere icmp redirect > ACCEPT icmp -- anywhere anywhere icmp time-exceeded > > Chain tcp_packets (1 references) > target prot opt source destination > allowed tcp -- anywhere anywhere tcp dpt:ssh > allowed tcp -- anywhere anywhere tcp dpt:www > allowed tcp -- anywhere anywhere tcp dpt:auth > > Chain udpincoming_packets (1 references) > target prot opt source destination > ACCEPT udp -- anywhere anywhere udp spt:domain > ACCEPT udp -- anywhere anywhere udp spt:ntp > ACCEPT udp -- anywhere anywhere udp spt:2074 > ACCEPT udp -- anywhere anywhere udp spt:4000 > > and here is the script I run to set those rules up: > hex:/home/csanner# more /etc/init.d/rc.firewall > #!/bin/sh > # > # rc.firewall - Initial SIMPLE IP Firewall test script for 2.4.x > # > # Author: Oskar Andreasson <[EMAIL PROTECTED]> > # (c) of BoingWorld.com, use at your own risk, do whatever you please with > # it as long as you don't distribute this with due credits to > # BoingWorld.com > # > > ########### > # Configuration options, these will speed you up getting this script to > # work with your own setup. > > # > # your LAN's IP range and localhost IP. /24 means to only use the first 24 > # bits of the 32 bit IP adress. the same as netmask 255.255.255.0 > # > # STATIC_IP is used by me to allow myself to do anything to myself, might > # be a security risc but sometimes I want this. If you don't have a static > # IP, I suggest not using this option at all for now but it's still > # enabled per default and will add some really nifty security bugs for all > # those who skips reading the documentation=) > > LAN_IP_RANGE="192.168.42.0/24" > LAN_IP="192.168.42.1/32" > LAN_BCAST_ADRESS="192.168.42.255/32" > LOCALHOST_IP="127.0.0.1/32" > STATIC_IP="24.7.168.191/32" > INET_IFACE="eth1" > LAN_IFACE="eth0" > IPTABLES="/sbin/iptables" > > ######### > # Load all required IPTables modules > # > > # > # Needed to initially load modules > # > #/sbin/depmod -a > > # > # Adds some iptables targets like LOG, REJECT and MASQUARADE. > # > #/sbin/modprobe ipt_LOG > #/sbin/modprobe ipt_REJECT > #/sbin/modprobe ipt_MASQUERADE > > # > # Support for owner matching > # > #/sbin/modprobe ipt_owner > > # > # Support for connection tracking of FTP and IRC. > # > #/sbin/modprobe ip_conntrack_ftp > #/sbin/modprobe ip_conntrack_irc > > > #CRITICAL: Enable IP forwarding since it is disabled by default. > # > echo "1" > /proc/sys/net/ipv4/ip_forward > > > # Dynamic IP users: > # > # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable > this > # option. This enables dynamic-ip address hacking in IP MASQ, making > the > connection > # with Diald and similar programs much easier. > # > #echo "1" > /proc/sys/net/ipv4/ip_dynaddr > > # Enable simple IP FORWARDing and Masquerading > # > # NOTE: The following is an example for an internal LAN, where the lan > # runs on eth1, and the Internet is on eth0. > # > # Please change the network devices to match your own configuration. > # > > $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE > $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG > --log-leve > l DEBUG --log-prefix "IPT FORWARD packet died: " > > # > # set default policies for the INPUT, FORWARD and OUTPUT chains > # > > $IPTABLES -P INPUT DROP > $IPTABLES -P OUTPUT DROP > $IPTABLES -P FORWARD DROP > > # > # Create separate chains for ICMP, TCP and UDP to traverse > # > > $IPTABLES -N icmp_packets > $IPTABLES -N tcp_packets > $IPTABLES -N udpincoming_packets > > # > # the allowed chain for TCP connections > # > # This chain will be utilised if someone tries to connect to an allowed > # port from the internet. If they are opening the connection, or if it's > # already established we ACCEPT the packages, if not we fuck them. This is > # where the state matching is performed also, we allow ESTABLISHED and > # RELATED packets. > > $IPTABLES -N allowed > $IPTABLES -A allowed -p TCP --syn -j ACCEPT > $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A allowed -p TCP -j DROP > > # > # ICMP rules > # > > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT > > # > # TCP rules > # > > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed > > # added by Hitch for packet forwarding > > # > # UDP ports > # > > $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT > $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT > $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT > $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT > > # > # PREROUTING chain. > # > # Do some checks for obviously spoofed IP's > # > > $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP > $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP > $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP > > # > # INPUT chain > # > # establish the basic INPUT chain and filter the packets onto the correct > # chains. > # > > > $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets > $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets > $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets > > $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT > $IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT > $IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT > $IPTABLES -A INPUT -p ALL -d $STATIC_IP -m state --state ESTABLISHED,RELATED > -j > ACCEPT > $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG > --log-level > DEBUG --log-prefix "IPT INPUT packet died: " > > # > # OUTPUT chain > # > # establish the basic OUTPUT chain and filter them onto the correct chain > # > > $IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT > $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT > $IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT > $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG > --log-level > DEBUG --log-prefix "IPT OUTPUT packet died: " > > ___________________________________________________________________ > > can anyone give me a hand with getting all this working? > > > -- > _____________________________________________ > Christopher Sanner | mailto:[EMAIL PROTECTED] > Phone :571-277-0206 | http://osf1.gmu.edu/~csanner/ > Contractor to VistaRMS > President and Co-Founder MasonLUG > finger [EMAIL PROTECTED] for pgp key and geek code block > > You will find that the State is the kind of organization which, while it does > big things badly, does small things badly too. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
