I have a server whit 2 interfaces of network, where eth0 is the interfaces connetc to internet and eth1 to the internal network. This server hace a Squid only, but i setting the iptables for protection to the server. Iptables run from script and in this script i setting the redirection for the other server in my internal network to port 80 and 443. I follow the diferent how to and many manual, but the redirect no work, the NAT POSTROUTING work and the squid work to. My DNS is Ok, because the consult whit dig command the answer is the assigned ip. Here put the copy of my script:
--------------- Begin the Script #Delete Rules iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -t nat -F
## Modules install modprobe ip_tables modprobe ip_nat_ftp modprobe ip_conntrack_ftp
## FLUSH of Rules iptables -F iptables -X iptables -Z iptables -t nat -F
## Default policy iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT
##Filter Begin ##Note: eth0 is the network interface connect to router and ## eth1 comnect to lan
## The localhost full iptables -A INPUT -i lo -j ACCEPT
## DROP the ping for eth0 iptables -A INPUT -i eth0 -p ICMP --icmp-type echo-request -j DROP
## All pack of router acept. iptables -A INPUT -i eth0 -s rango_ip/29 -d 0/0 -p all -j ACCEPT iptables -A INPUT -i eth1 -s 172.16.0.0/24 -d 172.16.0.211/32 -p all -j ACCEPT
##Redirect server web iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.16.0.3:80 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 172.16.0.3:443
iptables -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 80 -j ACCEPT iptables -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 443 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 53 -j ACCEPT iptables -A FORWARD -i eth1 -p udp -s 172.16.0.0/24 --dport 53 -j ACCEPT
## DNS Full. ACEPT. iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
## SQUID iptables -A INPUT -p tcp -m tcp --sport 3128 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT iptables -A INPUT -p udp -m udp --sport 3128 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 3128 -j ACCEPT
# Close range of port know iptables -A INPUT -s 0.0.0.0/0 -i eth0 -p tcp --dport 1:1024 -j DROP iptables -A INPUT -s 0.0.0.0/0 -i eth0 -p udp --dport 1:1024 -j DROP
# Close the port of webmin iptables -A INPUT -s 0.0.0.0/0 -i eth0 -p tcp --dport 10000 -j DROP
## FORWARD # Do log all forward iptables -A INPUT -j LOG --log-level info iptables -A OUTPUT -j LOG --log-level info iptables -A FORWARD -j LOG --log-level info
## Fnish of table FILTER
## General of MASQUERADE iptables -t nat -A POSTROUTING -s 172.16.0.6/32 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 172.16.0.10/32 -o eth0 -j MASQUERADE #iptables -t nat -A POSTROUTING -s 172.16.0.1/32 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 172.16.0.9/32 -o eth0 -j MASQUERADE
## Do forward to the interfaces of network # Enable of forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -L -n > /etc/sysconfig/show /usr/bin/less /etc/sysconfig/show -----------------------------End of Script
The output of command "iptables -L -t nat" show me this:
Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:www to:172.16.0.3:80 DNAT tcp -- anywhere anywhere tcp dpt:https to:172.16.0.3:443
Some solution?? Regards, David
_________________________________________ Tec. David Gonzalez Romero Network/System Administrator CNAP- Centro Nacional Áreas Protegidas Linux counter: 242534 _________________________________________
_________________________________________ Tec. David Gonzalez Romero Network/System Administrator CNAP- Centro Nacional Áreas Protegidas Linux counter: 242534 _________________________________________