[CentOS] iptables problem

joseph medina

condorcu at yahoo.es
Mon May 23 17:17:30 UTC 2005 

Some day ago, a friend post one problem for mi. whist
this texts:

I have a server whit 2 interfaces of network, where
eth0 is the interfaces
connetc to internet and eth1 to the internal network.
This server hace a
Squid only, but i setting the iptables for protection
to the server.
Iptables run from script and in this script i setting
the redirection for
the other server in my internal network to port 80 and
443. I follow the
diferent how to and many manual, but the redirect no
work, the NAT
POSTROUTING work and the squid work to. My DNS is Ok,
because the consult
whit dig command the answer is the assigned ip. Here
put the copy of my
script:

I was do all instruccion for that problem but I have
the same problem, te server dont redirect to webserver
for ports 80 and 443 all the rest services are ok only
that services have problems, thanks for all

now my /etc/sysconfig/iptables is this:

# Firewall configuration written by
redhat-config-securitylevel
# Manual customization of this file is not
recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
#-A INPUT -j RH-Firewall-1-INPUT
#-A FORWARD -j RH-Firewall-1-INPUT
#-A RH-Firewall-1-INPUT -i lo -j ACCEPT
#-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j
ACCEPT
#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p
tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p
tcp --dport 80 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p
tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p
tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with
icmp-host-prohibited
#todo al localhost y a infocom
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -s rango_ip -d 0/0 -p all -j ACCEPT
-A INPUT -i eth1 -s 172.16.0.0/24 -d 172.16.0.1/32 -p
all -j ACCEPT
#negamos el ping
-A INPUT -i eth0 -p ICMP --icmp-type echo-request -j
DROP
-A INPUT -i eth1 -p ICMP --icmp-type echo-request -j
DROP
## SALIDA SMTP - Para que el servidor se pueda
conectar a otros MTA
# Permitir salida SMTP
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
## DNS Completo. ACEPTADO.
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
## SQUID
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
## FORWARD
-A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 80
-j ACCEPT
-A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 443
-j ACCEPT
-A FORWARD -i eth1 -p tcp -d 172.16.0.3/32 --dport 80
-j ACCEPT
-A FORWARD -i eth1 -p tcp -d 172.16.0.3/32 --dport 443
-j ACCEPT
-A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 53
-j ACCEPT
-A FORWARD -i eth1 -p udp -s 172.16.0.0/24 --dport 53
-j ACCEPT
##OUTPUT
-A OUTPUT -o eth1 -p tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth1 -p tcp --dport 443 -j ACCEPT
-A OUTPUT -o eth1 -p tcp --dport 80 -m state --state
NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -p tcp --dport 443 -m state --state
NEW,ESTABLISHED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
##NAT e intranet des de el portal
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
172.16.0.3:80
-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to
172.16.0.3:443
-A PREROUTING -i eth0 -p tcp --dport 80 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A PREROUTING -i eth0 -p tcp --dport 443 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 172.16.0.6/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.10/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.9/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.138/32 -o eth0 -j
MASQUERADE
COMMIT
--------------------------------------------------------------
my /etc/sysconfig/iptables-

# Additional iptables modules (nat helper)
# Default: -empty-
IPTABLES_MODULES="ip_nat_ftp"

# Save current firewall rules on stop.
# Value: yes|no,  default: no
#IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
# Value: yes|no,  default: no
#IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule counter.
# Value: yes|no,  default: no
#IPTABLES_SAVE_COUNTER="no"

# Numeric status output
# Value: yes|no,  default: no
#IPTABLES_STATUS_NUMERIC="no"
-----------------------------------------

the command iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  200.55.135.8/29      anywhere
ACCEPT     all  --  172.16.0.0/24       
valinor.mincex.org
DROP       icmp --  anywhere             anywhere     
     icmp echo-request
DROP       icmp --  anywhere             anywhere     
     icmp echo-request
ACCEPT     tcp  --  anywhere             anywhere     
     tcp spt:smtp
ACCEPT     tcp  --  anywhere             anywhere     
     tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere     
     tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere     
     udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere     
     tcp dpt:squid

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  172.16.0.0/24        anywhere     
     tcp dpt:http
ACCEPT     tcp  --  172.16.0.0/24        anywhere     
     tcp dpt:https
ACCEPT     tcp  --  anywhere            
armagedon.mincex.orgtcp dpt:http
ACCEPT     tcp  --  anywhere            
armagedon.mincex.orgtcp dpt:https
ACCEPT     tcp  --  172.16.0.0/24        anywhere     
     tcp dpt:domain
ACCEPT     udp  --  172.16.0.0/24        anywhere     
     udp dpt:domain

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere     
     tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere     
     tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere     
     state NEW,ESTABLISHED tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere     
     state NEW,ESTABLISHED tcp dpt:https

Chain RH-Firewall-1-INPUT (0 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere     
     state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere     
     state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere     
     state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere     
     reject-with icmp-host-prohibited

--------------------------------------------------------

and the command iptables -L -t nat

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere     
     tcp dpt:http to:172.16.0.3:80
DNAT       tcp  --  anywhere             anywhere     
     tcp dpt:https to:172.16.0.3:443
ACCEPT     tcp  --  anywhere             anywhere     
     state NEW,ESTABLISHED tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere     
     state NEW,ESTABLISHED tcp dpt:https

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  ariadne.mincex.org   anywhere
MASQUERADE  all  --  172.16.0.10          anywhere
MASQUERADE  all  --  172.16.0.9           anywhere
MASQUERADE  all  --  maprinter.mincex.org  anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination






		
______________________________________________ 
Renovamos el Correo Yahoo! 
Nuevos servicios, más seguridad 
http://correo.yahoo.es

More information about the CentOS mailing list