iptables and multiple ip-addresses?
hello,
im trying to get my firewall working on my gentoo-box with kernel 2.6.19:
external addresses = x.x.x.2-16
internal addresses = 192.168.50.10 (192.168.50/24)
Webserver = 192.168.50.15:80
Tomcat=192.168.50.15:8080
and here my script:
----------------Start---------------------
EXT_IF=eth0
INT_IF=eth1
EXT_DNS=x.x.x.2
EXT_WEB=x.x.x.2
EXT_TOM=x.x.x.6
INT_WEB=192.168.50.15
INT_DNS=192.168.50.15
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# allow some internal traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INT_IF -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -i $INT_IF -j ACCEPT
# Enable NAT
iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
# Allow active connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# DNS Server
iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_DNS --dport 53 -j ACCEPT
iptables -A FORWARD -i $EXT_IF -p udp -d $INT_DNS --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_DNS --dport 53 -j
DNAT --to $INT_DNS
iptables -t nat -A PREROUTING -i $EXT_IF -p udp -d $EXT_DNS --dport 53 -j
DNAT --to $INT_DNS
# Webserver, Tomcat
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_WEB --dport 80 -j
DNAT --to $INT_WEB
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_TOM --dport 80 -j
DNAT --to $INT_WEB:8080
iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 80 -j ACCEPT
iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 8080 -j ACCEPT
----------------End---------------------
NAT, DNS and the 192.168.50.15:80 webserver are working, what im missing to
get the tomcat working?
it seems that only the external address x.x.x.2 is working, if i do an
ifconfig i see all external IF from eth0 up to eth0:14
any idea or help would be appreciated
Re: iptables and multiple ip-addresses?
On Sun, 07 Jan 2007 20:18:42 +0100, Manuel Garcia wrote:
[color=blue]
> external addresses = x.x.x.2-16[/color]
Is this possible, using iptables?
--
Regards/mvh Joachim Mæland
If everything seems under control, you're just not going fast enough.
-Mario Andretti.
Re: iptables and multiple ip-addresses?
>[color=blue][color=green]
>> external addresses = x.x.x.2-16[/color]
>
> Is this possible, using iptables?
>[/color]
can iptables handle only 1 external ip-address?
thx
Re: iptables and multiple ip-addresses?
[color=blue][color=green][color=darkred]
>>> external addresses = x.x.x.2-16[/color]
>>
>> Is this possible, using iptables?
>>[/color]
>
> can iptables handle only 1 external ip-address?
>[/color]
well tested with ip range x.x.x.16-20 and it works !
if i use the range x.x.x.2-20 and i publish the servers with x.x.x.2 or
x.x.x.16-18 it works too !
the rules does not work if i use x.x.x.3-16 ! <= why? i dont really
understand this
did some tests with:
tcpdump (listen on the external IF on address x.x.x.3): i can see incoming
packets
tcpdump (listen on the internal IF dst to Webserver): i can't see any
packets
some test with:
iptables -t nat -nvL PREROUTING
=> the publish rule for the webserver shows 0 pkts and 0 bytes ! <= again i
cant understand this
the default policy for all nat-chains is ACCEPT
here again the rules:
# Werserver, Tomcat
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_WEB --dport 80 -j
DNAT --to $INT_WEB
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_TOM --dport 80 -j
DNAT --to $INT_WEB:8080
iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 80 -j ACCEPT
iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 8080 -j ACCEPT
added a new rule:
iptables -A INPUT -i $EXT_IF -p tcp -d x.x.x.3 -j ACCEPT
got same result, still no chance
any ideas?
Re: iptables and multiple ip-addresses?
[color=blue][color=green][color=darkred]
>>> external addresses = x.x.x.2-16[/color]
>>
>> Is this possible, using iptables?
>>[/color]
>
> can iptables handle only 1 external ip-address?
>[/color]
well tested with ip range x.x.x.16-20 and it works !
if i use the range x.x.x.2-20 and i publish the servers with x.x.x.2 or
x.x.x.16-18 it works too !
the rules does not work if i use x.x.x.3-16 ! <= why? i dont really
understand this
did some tests with:
tcpdump (listen on the external IF on address x.x.x.3): i can see incoming
packets
tcpdump (listen on the internal IF dst to Webserver): i can't see any
packets
some test with:
iptables -t nat -nvL PREROUTING
=> the publish rule for the webserver shows 0 pkts and 0 bytes ! <= again i
cant understand this
the default policy for all nat-chains is ACCEPT
here again the rules:
# Werserver, Tomcat
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_WEB --dport 80 -j
DNAT --to $INT_WEB
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_TOM --dport 80 -j
DNAT --to $INT_WEB:8080
iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 80 -j ACCEPT
iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 8080 -j ACCEPT
added a new rule:
iptables -A INPUT -i $EXT_IF -p tcp -d x.x.x.3 -j ACCEPT
got same result, still no chance
any ideas?
