iptables

Discussion:

iptables

Manu

2011-06-22 20:19:02 UTC

Hello,
I'm French, I'm sorry for my bad english.
I'm a beginner debian user.
In my home network, I have a linux machine with debian6.
My debian has to do dhcp server with isc-server.
I have 2 network card, eth0 = public Ip (adsl modem)
eth1 = lan.
My dhcp server runs.
But I can't connect to internet with pc's.
Description :

network : 10.20.30.0
mask : 255.255.255.0
Windows server: 10.20.30.2
Linux server (Debian6) : 10.20.30.1 (DHCP a nd gateway to wan)
Accesspoint Wifi : 10.20.30.3
NAS server : 10.20.30.4
MAO PC: 10.20.30.5
laptop : 10.20.30.6
IP phone : 10.20.30.7, 10.20.30.8, 10.20.30.9
I can connect to lan machines but not to wan.

cat /proc/sys/net/ipv4/ip_forward is 1

What are routes I have to create with route command ?
How can I routed 80 port to 10.20.30.1 with iptables ?
thank you for your help !

--------------------------------------------------------------------------------

AMICALEMENT
Manu

SITES WEBS
Mon site web Officiel (Manu-dpk.net)
Ecoutez Radio DPK

CONTACT
- E-mail : ***@manu-dpk.net
- Messenger (WLM) : ***@manu-dpk.net
- Skype : manu-dpk

--------------------------------------------------------------------------------

PS : Pour le respect de l'environnnement, n'imprimez ce mail qu'en cas de nécessité.

Ansgar Wiechers

2011-06-22 20:33:09 UTC

Permalink

Post by Manu
In my home network, I have a linux machine with debian6.
My debian has to do dhcp server with isc-server.
I have 2 network card, eth0 = public Ip (adsl modem)
eth1 = lan.
My dhcp server runs.
But I can't connect to internet with pc's.
network : 10.20.30.0
mask : 255.255.255.0
Windows server: 10.20.30.2
Linux server (Debian6) : 10.20.30.1 (DHCP a nd gateway to wan)
Accesspoint Wifi : 10.20.30.3
NAS server : 10.20.30.4
MAO PC: 10.20.30.5
laptop : 10.20.30.6
IP phone : 10.20.30.7, 10.20.30.8, 10.20.30.9
I can connect to lan machines but not to wan.

Do the hosts in your LAN have a default gateway, i.e. does your DHCP
server pass out a router option with the leases? Check with "ipconfig"
on Windows or "route" on Linux hosts.

Post by Manu
cat /proc/sys/net/ipv4/ip_forward is 1
What are routes I have to create with route command ?

Normally you shouldn't have to create any for that kind of setup.

Please post the output of "iptables -nL" and "iptables -t nat -nL".

Post by Manu
How can I routed 80 port to 10.20.30.1 with iptables ?

That is called port-forwarding, not routing. It's done via DNAT. See [1]
for instance.

[1] http://www.debian-administration.org/articles/73

Regards
Ansgar Wiechers

--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Gerdriaan Mulder

2011-06-22 20:47:13 UTC

Permalink

Post by Ansgar Wiechers

Post by Manu
cat /proc/sys/net/ipv4/ip_forward is 1
What are routes I have to create with route command ?

Normally you shouldn't have to create any for that kind of setup.

4-step NAT, first step is to enable forwarding on the specific
interfaces, or ip_forward globally.
next three steps are iptables rules:
iptables -A FORWARD -i eth0 -o eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Next step is to configure the DHCP-server to propagate the IP
addresses to the network. Send the gateway (10.20.30.1) with the DHCP
offer and your computers should be able to reach the internet.

Pascal Hambourg

2011-06-22 20:40:58 UTC

Permalink

Hello,

Post by Manu
Hello,
I'm French, I'm sorry for my bad english.

You'd better be sorry for posting HTML.

Post by Manu
I'm a beginner debian user.
In my home network, I have a linux machine with debian6.
My debian has to do dhcp server with isc-server.
I have 2 network card, eth0 = public Ip (adsl modem)
eth1 = lan.
My dhcp server runs.
But I can't connect to internet with pc's.
network : 10.20.30.0
mask : 255.255.255.0
Windows server: 10.20.30.2
Linux server (Debian6) : 10.20.30.1 (DHCP a nd gateway to wan)
Accesspoint Wifi : 10.20.30.3
NAS server : 10.20.30.4
MAO PC: 10.20.30.5
laptop : 10.20.30.6
IP phone : 10.20.30.7, 10.20.30.8, 10.20.30.9
I can connect to lan machines but not to wan.
cat /proc/sys/net/ipv4/ip_forward is 1
What are routes I have to create with route command ?

Probably none. But maybe you missed the masquerading.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Post by Manu
How can I routed 80 port to 10.20.30.1 with iptables ?

If you mean port forwarding of connections coming from outside :

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
-j DNAT --to 10.20.30.1

But as 10.20.30.1 is the box itself, this is probably not what you want.

--
To UNSUBSCRIBE, email to debian-firewall-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: http://lists.debian.org/***@plouf.fr.eu.org

Eden Caldas

2011-06-22 20:42:01 UTC

Permalink

You DHCP server must tell your clients which one is the gateway (your
debian6 machine must be it)
You will also need a DNS server and make your dhcp inform this to clients as
well.

have you done NAT rules? You will need a MASQUERADE one.

Eden Caldas
Consultor de TI
***@linuxfacil.srv.br
(81) 9653 7220
LINUX FÁCIL Consultoria e Serviços em TI

Post by Manu
**
Hello,
I'm French, I'm sorry for my bad english.
I'm a beginner debian user.
In my home network, I have a linux machine with debian6.
My debian has to do dhcp server with isc-server.
I have 2 network card, eth0 = public Ip (adsl modem)
eth1 = lan.
My dhcp server runs.
But I can't connect to internet with pc's.
network : 10.20.30.0
mask : 255.255.255.0
Windows server: 10.20.30.2
Linux server (Debian6) : 10.20.30.1 (DHCP a nd gateway to wan)
Accesspoint Wifi : 10.20.30.3
NAS server : 10.20.30.4
MAO PC: 10.20.30.5
laptop : 10.20.30.6
IP phone : 10.20.30.7, 10.20.30.8, 10.20.30.9
I can connect to lan machines but not to wan.
cat /proc/sys/net/ipv4/ip_forward is 1
What are routes I have to create with route command ?
How can I routed 80 port to 10.20.30.1 with iptables ?
thank you for your help !
------------------------------
AMICALEMENT
Manu
SITES WEBS
Mon site web Officiel (Manu-dpk.net) <http://www.manu-dpk.net/>
Ecoutez Radio DPK <http://webradio.manu-dpk.net/?page=Radio>
CONTACT
- Skype : manu-dpk
------------------------------
PS : Pour le respect de l'environnnement, n'imprimez ce mail qu'en cas de nécessité.

Javier Charne

2011-06-22 20:30:57 UTC

Permalink

Post by Manu
Hello,
I'm French, I'm sorry for my bad english.
I'm a beginner debian user.
In my home network, I have a linux machine with debian6.
My debian has to do dhcp server with isc-server.
I have 2 network card, eth0 = public Ip (adsl modem)
eth1 = lan.
My dhcp server runs.
But I can't connect to internet with pc's.
network : 10.20.30.0
mask : 255.255.255.0
Windows server: 10.20.30.2
Linux server (Debian6) : 10.20.30.1 (DHCP a nd gateway to wan)
Accesspoint Wifi : 10.20.30.3
NAS server : 10.20.30.4
MAO PC: 10.20.30.5
laptop : 10.20.30.6
IP phone : 10.20.30.7, 10.20.30.8, 10.20.30.9
I can connect to lan machines but not to wan.
cat /proc/sys/net/ipv4/ip_forward is 1
What are routes I have to create with route command ?
How can I routed 80 port to 10.20.30.1 with iptables ?
thank you for your help !

Manu:

Check if 10.20.30.1 is default gateway for all devices in LAN.

In Debian Server, traffic to Internet must be nated:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Javier.-

Eden Caldas

2011-06-22 20:53:47 UTC

Permalink

Since it's a dsl maybe the interface is ppp0 ? Check if this interface comes
up when you dial in.

Eden Caldas
Consultor de TI
***@linuxfacil.srv.br
(81) 9653 7220
LINUX FÁCIL Consultoria e Serviços em TI

Post by Manu
**
Hello,
I'm French, I'm sorry for my bad english.
I'm a beginner debian user.
In my home network, I have a linux machine with debian6.
My debian has to do dhcp server with isc-server.
I have 2 network card, eth0 = public Ip (adsl modem)
eth1 = lan.
My dhcp server runs.
But I can't connect to internet with pc's.
network : 10.20.30.0
mask : 255.255.255.0
Windows server: 10.20.30.2
Linux server (Debian6) : 10.20.30.1 (DHCP a nd gateway to wan)
Accesspoint Wifi : 10.20.30.3
NAS server : 10.20.30.4
MAO PC: 10.20.30.5
laptop : 10.20.30.6
IP phone : 10.20.30.7, 10.20.30.8, 10.20.30.9
I can connect to lan machines but not to wan.
cat /proc/sys/net/ipv4/ip_forward is 1
What are routes I have to create with route command ?
How can I routed 80 port to 10.20.30.1 with iptables ?
thank you for your help !
Check if 10.20.30.1 is default gateway for all devices in LAN.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Javier.-

Manu

2011-06-23 09:34:24 UTC

Permalink

Hi,
Thank you for lot of reply
Wan protocole is IPoA. So I think I can keep eth0 ?
On my debian server, I have dhcp server (isc-dhcp-server), asterisk, apache, samba.
On my windows server, I have ftp server,, sam broadcaster...
I will try to route as you explain to me, and I will tell you later.
Thank you again
----- Original Message -----
From: Eden Caldas
To: Javier Charne
Cc: debian-***@lists.debian.org
Sent: Wednesday, June 22, 2011 10:53 PM
Subject: Re: iptables

Since it's a dsl maybe the interface is ppp0 ? Check if this interface comes up when you dial in.

Eden Caldas
Consultor de TI
***@linuxfacil.srv.br
(81) 9653 7220
LINUX FÁCIL Consultoria e Serviços em TI

2011/6/22 Javier Charne <***@speedy.com.ar>

El 22/06/11 17:19, Manu escribió:
Hello,
I'm French, I'm sorry for my bad english.
I'm a beginner debian user.
In my home network, I have a linux machine with debian6.
My debian has to do dhcp server with isc-server.
I have 2 network card, eth0 = public Ip (adsl modem)
eth1 = lan.
My dhcp server runs.
But I can't connect to internet with pc's.
Description :

network : 10.20.30.0
mask : 255.255.255.0
Windows server: 10.20.30.2
Linux server (Debian6) : 10.20.30.1 (DHCP a nd gateway to wan)
Accesspoint Wifi : 10.20.30.3
NAS server : 10.20.30.4
MAO PC: 10.20.30.5
laptop : 10.20.30.6
IP phone : 10.20.30.7, 10.20.30.8, 10.20.30.9
I can connect to lan machines but not to wan.

cat /proc/sys/net/ipv4/ip_forward is 1

What are routes I have to create with route command ?
How can I routed 80 port to 10.20.30.1 with iptables ?
thank you for your help !

Manu:

Check if 10.20.30.1 is default gateway for all devices in LAN.

In Debian Server, traffic to Internet must be nated:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Javier.-

lee

2011-06-22 21:10:39 UTC

Permalink

Have you tried shorewall? It has sufficient documentation and should
make it pretty easy to achieve the setup you need, with the added
benefit of providing a fully featured firewall.

Setting up a firewall is probably much better than connecting your
networks to the internet directly without one through your ADSL
modem. It will also help you to redirect some traffic on port 80 to
10.20.30.1 and to do the neccessary masquerading.

However, I would start with setting up a name server for your networks
if you´ve not already done so.

Post by Manu
--------------------------------------------------------------------------------
AMICALEMENT
Manu
SITES WEBS
Mon site web Officiel (Manu-dpk.net)
Ecoutez Radio DPK
CONTACT
- Skype : manu-dpk
--------------------------------------------------------------------------------
PS : Pour le respect de l'environnnement, n'imprimez ce mail qu'en cas de nécessité.

Can you please use the standard seperator ("-- ") for your signature and
refrain from posting HTML messages?

Prithak Sharma

2011-06-23 07:03:08 UTC

Permalink

Manu,

You need to enable Packet forwarding and NAT. Considering your network
architecture these commands may do the trick:

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t filter -A FORWARD -s 10.20.30.0/24 -d 0/0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

If you are using PPPoE then you will have to change eth1 to ppp0 for NAT.

To forward HTTP traffic (dst port 80) to your Linux box you will have
to use the following iptables rule :

iptables -t nat -A PREROUTING -i eth1 -s 10.20.30.0/24 -p tcp --dport
80 -j REDIRECT --to-ports 8080

You need to make sure that some kind of TCP service is listening on
port 8080 on your debian box . You can verify that using netstat
-tunlp command.

-Prithak
-http://prithak.blogspot.com

Post by lee

Have you tried shorewall? It has sufficient documentation and should
make it pretty easy to achieve the setup you need, with the added
benefit of providing a fully featured firewall.
Setting up a firewall is probably much better than connecting your
networks to the internet directly without one through your ADSL
modem. It will also help you to redirect some traffic on port 80 to
10.20.30.1 and to do the neccessary masquerading.
However, I would start with setting up a name server for your networks
if you´ve not already done so.

Can you please use the standard seperator ("-- ") for your signature and
refrain from posting HTML messages?
--

Continue reading on narkive:

Search results for 'iptables' (Questions and Answers)

replies

Is there a Router that can block inbound IP address'?

started 2010-09-28 10:22:11 UTC

computer networking

replies

do i need to restart iptables after i changed the rules?

started 2006-10-08 10:21:05 UTC

computer networking

replies