[lug] using iptables for exposing web servers on public IPs?
David Anselmi
anselmi at anselmi.us
Thu Apr 7 20:15:46 MDT 2005
Siegfried Heintze wrote:
[...]
> iptables -I FORWARD -d 209.97.230.252 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -I PREROUTING -p tcp -d 209.97.230.252 -i vlan1 --dport 80
> -j DNAT --to 192.168.1.252
>
> I'm trying to forward requests for 209.97.230.252 to my internal network
> address of 192.168.1.252.
You should look at the picture here:
http://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html
(there's a better one that shows the NAT chains somewhere, but I don't
remember where--google knows).
IIRC, the PREROUTING (for DNAT) chain happens just after the Incoming
label (before the routing decision) and the POSTROUTING (for SNAT) just
before the Outgoing label. That's nice because then you refer to all
your internal machines by their internal addresses in the filter table.
So you've got your NAT interfering with your filter. Try:
iptables -I FORWARD -d 192.168.1.252 -p tcp --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -d 209.97.230.252 -i vlan1 \
--dport 80 -j DNAT --to 192.168.1.252
You ought to be able to ask the box what its external interface is (with
ifconfig, maybe?) to figure out what to put in for vlan1.
Pay attention to the difference between -A and -I so you get the rules
in the right order. And realize that without state matching the rules
apply to "inbound packets", not "incoming connections" (or just ignore
me if that's confusing).
Dave
More information about the LUG
mailing list