topic Re: DNAT to web server inside internal network in Operating System - Linux

DNAT to web server inside internal network

debian111 — Mon, 05 Jun 2006 01:29:45 GMT

Hello all,

I am trying to route traffic from internet to my web server which is located inside my local network ( please see attachment ) to acomplish this I am using iptables ( script in attachment )
but because of some reason when I enter ip address of machine with two NICs ( one with public IP address and one with private IP address ) I simpli do not receive web page from web server from my internal network.

So please take I look in attachment and write down your opinions. I put 10.1.1.1 and 10.1.1.2 addresses but perhaps the mistake is lying there. Which ip address should I assign to eth1 ( I assigned 10.1.1.1, and 10.1.1.2 to my web server, but i tried with same address for eth1 and web server but it did not works )

Every comment is welcome.
Thank you.

Re: DNAT to web server inside internal network

Logu_2 — Mon, 05 Jun 2006 05:29:28 GMT

You have to either Source NAT the incoming connection or have to setup the gateway for webserver as the private IP of the public IP machine (10.1.1.2) and Masquerade the outgoing connection in the public IP machine.

It will be something simillar to

Method 1:

On the public machine:

iptables -t nat -A PREROUTING -d 150.1.1.1 -p tcp -dport 80 -j DNAT --to-destination 10.1.1.2:80

iptables -t nat -A POSROUTING -d 10.1.1.1 -p tcp -dport 80 -j SNAT --to-source 10.1.1.2

Method 2:

On the Public machine:
iptables -t nat -A PREROUTING -d 150.1.1.1 -p tcp -dport 80 -j DNAT --to-destination 10.1.1.2:80

iptables -t nat -A PREROUTING -j MASQUERADE.

one the webserver:

route del default
route add default gw 10.1.1.2

Fine tune as per your requirements.

-logu

Re: DNAT to web server inside internal network

Steven E. Protter — Mon, 05 Jun 2006 05:40:48 GMT

Shalom,

You need port forwarding.

I've found iptables a bit byzantine to work with.

http://www.fs-security.com

Firestarter is iptables based, configurable in X Windows via a gui and works very well.

SEP

Re: DNAT to web server inside internal network

debian111 — Tue, 06 Jun 2006 01:19:37 GMT

Hi ,

I did as Logu suggested me I mean I put this into my script
#!/bin/bash

echo "0" > /proc/sys/net/ipv4/ip_forward

iptables -F FORWARD

iptables -F -t nat
iptables -F -t mangle

iptables -X -t nat
iptables -X -t mangle

iptables -P FORWARD DROP

iptables -t nat -A PREROUTING -d 150.1.1.1 -p tcp --dport 80 -j DNAT --to-destination 10.1.1.2:80
iptables -t nat -A POSTROUTING -d 10.1.1.1 -p tcp --dport 80 -j SNAT --to-source 10.1.1.2

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/ip_forward

and after starting script and issuing iptables -t nat -L from command line I got output as follows

debian:/# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere debian tcp dpt:www to:10.1.1.2:80

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere 10.1.1.1 tcp dpt:www to:10.1.1.2

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
debian:/#

But I still can not receive web page from my web server which ip address is 10.1.1.2 , I really cannot find out what I made wrong. Any suggestion will help me .
I mean is there any kind of other features that I forgot to implement, I am new in this field and I do not have much experinnce in working with iptables.

Regards

Re: DNAT to web server inside internal network

Logu_2 — Tue, 06 Jun 2006 06:15:06 GMT

I guess the problem is with the FORWARD policy which is set to DROP. You have to explicitly allow this traffic in the FORWARD chain or change the policy to ACCEPT.

BTW, -X is to delete the userdefined chains.

Just use this set of rules and let me know.

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle

iptables -t nat -A PREROUTING -s ! 10.1.1.1 -d 150.1.1.1 -p tcp --dport 80 -j DNAT --to-destination 10.1.1.2:80
iptables -t nat -A POSTROUTING -d 10.1.1.1 -p tcp --dport 80 -j SNAT --to-source 10.1.1.2

-logu

Re: DNAT to web server inside internal network

Delrish — Tue, 06 Jun 2006 09:02:42 GMT

Do you enable the ip forwarding in your kernel? please check /etc/sysctl.conf, you should have net.ipv4.ip_forward = 1
. if net.ipv4.ip_forward = 0 change it to "1" and execute sysctl -p on command line.

Re: DNAT to web server inside internal network

debian111 — Wed, 07 Jun 2006 00:57:37 GMT

Hi ,

I tried what Logu suggested me last day, but unfortunately I did not get expected result.

Alireza says that I should enable ip forwarding
and I thought about that, I did not change anything in /etc/sysctl.conf file actually in that file I have

/etc# cat sysctl.conf |more
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
#net/ipv4/icmp_echo_ignore_broadcasts=1

What do you think should I make somthing with
/etc/iproute2 file, and add some routes with
route add ( something like that ).
What do you think? Is neccessary first make possibele to "see" each other interfaces eth0 and eth1, in order to exchange packets.

I am really interested in making nat on my computer using iptables software package.

Any suggestion, advice, will help me, and thanks for this help

Regards

Re: DNAT to web server inside internal network

debian111 — Wed, 07 Jun 2006 01:52:07 GMT

Should I change some options in /etc/network/options?
I will try this today leter.

/etc/network# cat options
ip_forward=no ( I mean this change to yes )
spoofprotect=yes
syncookies=no

Regards

Re: DNAT to web server inside internal network

Logu_2 — Wed, 07 Jun 2006 02:56:47 GMT

Could you give me a simple diagram (.jpg) with your network details, inlcuding from where you are trying to access the webserver. From webserver network or from the Machine A?

Are you able to access your webserver from 10.1.1.2 using the the IP 10.1.1.1, something like http://10.1.1.1 ?

Please give the output of the following commands from the webserver(10.1.1.1) and from the gateway (10.1.1.2)

On the webserver (10.1.1.1):
/sbin/route -n
/sbin/iptables -L -n -v
/sbin/iptables -t nat -L -n -v

Try to access the webserver from machine A, after giving the following command and note down the output
/usr/sbin/tcpdump -nei eth0 port 80

On the gateway (10.1.1.2):
/sbin/route -n
/sbin/iptables -L -n -v
/sbin/iptables -t nat -L -n -v
cat /proc/sys/net/ipv4/ip_forward

-logu

Re: DNAT to web server inside internal network

Delrish — Wed, 07 Jun 2006 03:07:08 GMT

you should enable the ip forwarding. this option is disblaed by default. please dothe following command.

echo "1" > /proc/sys/net/ipv4/ip_forward

Re: DNAT to web server inside internal network

Delrish — Wed, 07 Jun 2006 03:09:19 GMT

Also please check the rules on your webserver. try the following commands on your webserver to flush the rules on it.

iptables -t nat -F
iptables -F

Re: DNAT to web server inside internal network

debian111 — Wed, 07 Jun 2006 03:51:43 GMT

I attached diagram. I am trying to access to web serer from some internet connected mashine which have public ip address, on diagram I signed it as machineA, it can be some machine B, C ...no mater. From firewall machine when I enter http://10.1.1.1 into browser, I can acess to webserver, and from firewall I can ping 10.1.1.1--web server, but when I try to access to web server from some machine which is connected to eth0=150.1.1.1 ( it is home environment and I am trying access to webserver using notebook with an ip address 150.1.1.2 ( machineA)----I can not do that? I am testing this without internet connection at home. I maen I do not care about IP addresses because it is closed system. All machines are connected with crossover cables, I mean from machineA-from(eth0)----to-(eth0)---firewall-from(eth1)---to--(eth0)-webserver
is crossover cable as connection

Other tests I will try today later and put output tomorrow

Thank you for you help.

Re: DNAT to web server inside internal network

Delrish — Wed, 07 Jun 2006 04:05:46 GMT

Would you please provide the following information from both the servers

uname -a
ifconfig
netstat -rn
iptables -L
iptables -t nat -L
cat /proc/sys/net/ipv4/ip_forward
lsmod
ping 10.1.1.1
ping 10.1.1.2
traceroute 10.1.1.1
traceroute 150.1.1.2

Re: DNAT to web server inside internal network

kcpant — Wed, 07 Jun 2006 08:14:41 GMT

Hi Debian,

Probably everybody mistaken unintentionaly game of .1 & .2 in your table ( may be I'm wrong!)

So, the rule for NATing in your case is:

IP of External NIC of firewall -> IP of your web server

thus,as I have seen the IP of Web server is 10.1.1.1, the iptable lines should be:
iptables -t nat -A PREROUTING -d 150.1.1.1 -p tcp --dport 80 -j DNAT --to-destination 10.1.1.1:80
iptables -t nat -A POSTROUTING -d 10.1.1.1 -p tcp --dport 80 -j SNAT --to-source 10.1.1.2

You also have to configure sysctl.conf for ip forwarding as illustrated above, and also make rules for forward table (for allowing forwarding traffic from firewaal to web server & vice versa) in iptables script.
Also make sure you have hosted website on port 80 only.

Hope it will work..
regards,

Re: DNAT to web server inside internal network

kcpant — Wed, 07 Jun 2006 08:17:07 GMT

Add to earlier reply, the postrouting line should have source (-s) instead of destination (-d).

Re: DNAT to web server inside internal network

Delrish — Wed, 07 Jun 2006 08:38:51 GMT

First of all, you made a mistake, you can get the webserver through the 150.1.1.1 ip address from 150.1.1.2
So please change your rules as below:

iptables -t nat -A PREROUTING -p tcp -d 150.1.1.1 --dport 80 -j DNAT --to-destination 10.1.1.1

please flush the other rules befor apply the above one.
iptables -t nat -F
iptables -F

Now you can get the page with http://150.1.1.1

Re: DNAT to web server inside internal network

debian111 — Thu, 08 Jun 2006 01:31:34 GMT

After issuing tcpdump -nei eth0 port 80 on server 10.1.1.1 I got the following output

[root@server /]# tcpdump -nei eth0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

then I tried to ping 10.1.1.1 from mechineA =150.1.1.1

debian:/# ping 10.1.1.1
connect: Network is unreachable
debian:/#

Rules I had on firewall are listed bellow

makina:/# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- !10.1.1.1 debian tcp dpt:www to:10.1.1.2:80

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere 10.1.1.1 tcp dpt:www to:10.1.1.2

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
makina:/#

On webserver output of some commands are as following

[root@server /]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
[root@server /]#

[root@server /]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
[root@server /]#

[root@server /]# iptables -L -n -v
Chain INPUT (policy ACCEPT 1414 packets, 106K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1018 packets, 115K bytes)
pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (0 references)
pkts bytes target prot opt in out source destination
[root@server /]#

[root@server /]# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 150 packets, 12390 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 51 packets, 3821 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 51 packets, 3821 bytes)
pkts bytes target prot opt in out source destination
[root@server /]#

On firewall output of the same comands are as following
Destination Gateway Genmask Flags Metric Ref Use Iface
150.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
makina:/#

makina:/# iptables -L -n -v
Chain INPUT (policy ACCEPT 1299 packets, 103K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 955 packets, 104K bytes)
pkts bytes target prot opt in out source destination
makina:/#

makina:/# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * !10.1.1.1 150.1.1.1 tcp dpt:80 to:10.1.1.2:80

Chain POSTROUTING (policy ACCEPT 27 packets, 1890 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT tcp -- * * 0.0.0.0/0 10.1.1.1 tcp dpt:80 to:10.1.1.2

Chain OUTPUT (policy ACCEPT 27 packets, 1890 bytes)
pkts bytes target prot opt in out source destination
makina:/#

Re: DNAT to web server inside internal network

debian111 — Thu, 08 Jun 2006 01:34:33 GMT

Hi,
I attached all necessary parameters for webserver, I will try today what you suggested me, and I am hoping that will help me,

Thank you for your help, it means me a lot.
Regards

Re: DNAT to web server inside internal network

debian111 — Thu, 08 Jun 2006 01:46:47 GMT

kcpant says
" thus,as I have seen the IP of Web server is 10.1.1.1, the iptable lines should be:
iptables -t nat -A PREROUTING -d 150.1.1.1 -p tcp --dport 80 -j DNAT --to-destination 10.1.1.1:80
iptables -t nat -A POSTROUTING -d 10.1.1.1 -p tcp --dport 80 -j SNAT --to-source 10.1.1.2 "

But there is someting confusing to me 10.1.1.1 is ip address of web server and second nic interfece eth1 on firewall machine has ip address 10.1.1.2, and I can not understand how packets will find a path to 10.1.1.1 because 10.1.1.1 is ip address of nic interface located on web server which is separate machine, or perhaps second rule will direct packets from firewalls address 10.1.1.2 to webserver address 10.1.1.1.

Just my opinion about this part of message.

Regards

Re: DNAT to web server inside internal network

Logu_2 — Thu, 08 Jun 2006 05:08:27 GMT

I think I messed it up. Let me try again and hope we will fix it.

|MacA(150.1.1.2)|----|(150.1.1.1)fwall(10.1.1.2)| ----|(10.1.1.1)wserver|

I bet this time it should work. :)
Execute the following on th firewall:
#----------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -P FORWARD ACCEPT

iptables -t nat -A PREROUTING -s ! 10.1.1.1 -d 150.1.1.1 -p tcp --dport 80 -j DNAT --to-destination 10.1.1.1:80

iptables -t nat -A POSTROUTING -d 10.1.1.1 -p tcp --dport 80 -j SNAT --to-source 10.1.1.2
#-----------------------------------------