Hello!
I have apache2 behind a firewall / gateway / router.
I want to setup firewall so, that one can it reach from the internet.
I red the documentations:
Linux 2.4 Packet Filtering HOWTO from Rusty Russell
Linux 2.4 NAT HOWTO from Rusty Russell
man iptables
Setting up a simple Debian gateway
<http://www.debian-administration.org/articles/23>
etc.
I setup my firewall-gateway so I can:
to browse the internet, from the box behind firewall,
to use ekiga, gaim,
but one can't to reach from the internet my apache2 server on that box behind
firewall.
I have a public IP, a registered domain name: csanyi-pal.info.
The iptables rules in iptables-save file on firewall are:
-------------------------------------------------------->
# Generated by iptables-save v1.3.6 on Mon Jul 16 15:18:29 2007
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Jul 16 15:18:29 2007
# Generated by iptables-save v1.3.6 on Mon Jul 16 15:18:29 2007
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Mon Jul 16 15:18:29 2007
# Generated by iptables-save v1.3.6 on Mon Jul 16 15:18:29 2007
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ! ppp0 -m state --state NEW -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --dport 25 -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --dport 5060 -j ACCEPT
-A FORWARD -i ppp0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o ppp0 -j ACCEPT
-A FORWARD -i ppp0 -o ppp0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Mon Jul 16 15:18:29 2007
--------------------------------------------------------<
My ISP has a weird setup; to connect to ISP, I must use pptp-linux, and
iproute:
interfaces:
----------->
auto eth0 sks-tunnel
iface eth0 inet dhcp
iface sks-tunnel inet ppp
provider sks-tunnel
up /etc/network/ip-up
down /etc/network/ip-down
# connection to LAN
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
-----------<
ip-up file:
----------->
#!/bin/sh
echo "Wait 10 seconds to ppp0 bringing up.."
sleep 10
ip route add 192.168.16.1 via 192.168.70.1 dev eth0
ip route replace default dev ppp0
echo "Set up the firewall."
iptables-restore < /etc/network/IPTABLES_rules
# set up forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
-----------<
My question is: how to set up the DNAT with iptables in my case, so one
can to reach from the internet my apache2 server behind the firewall?
Any advices will be appreciated!
--
Regards, Paul Csányi
http://www.freewebs.com/csanyi-pal/index.htm
I have apache2 behind a firewall / gateway / router.
I want to setup firewall so, that one can it reach from the internet.
I red the documentations:
Linux 2.4 Packet Filtering HOWTO from Rusty Russell
Linux 2.4 NAT HOWTO from Rusty Russell
man iptables
Setting up a simple Debian gateway
<http://www.debian-administration.org/articles/23>
etc.
I setup my firewall-gateway so I can:
to browse the internet, from the box behind firewall,
to use ekiga, gaim,
but one can't to reach from the internet my apache2 server on that box behind
firewall.
I have a public IP, a registered domain name: csanyi-pal.info.
The iptables rules in iptables-save file on firewall are:
-------------------------------------------------------->
# Generated by iptables-save v1.3.6 on Mon Jul 16 15:18:29 2007
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Jul 16 15:18:29 2007
# Generated by iptables-save v1.3.6 on Mon Jul 16 15:18:29 2007
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Mon Jul 16 15:18:29 2007
# Generated by iptables-save v1.3.6 on Mon Jul 16 15:18:29 2007
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ! ppp0 -m state --state NEW -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --dport 25 -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --dport 5060 -j ACCEPT
-A FORWARD -i ppp0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o ppp0 -j ACCEPT
-A FORWARD -i ppp0 -o ppp0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Mon Jul 16 15:18:29 2007
--------------------------------------------------------<
My ISP has a weird setup; to connect to ISP, I must use pptp-linux, and
iproute:
interfaces:
----------->
auto eth0 sks-tunnel
iface eth0 inet dhcp
iface sks-tunnel inet ppp
provider sks-tunnel
up /etc/network/ip-up
down /etc/network/ip-down
# connection to LAN
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
-----------<
ip-up file:
----------->
#!/bin/sh
echo "Wait 10 seconds to ppp0 bringing up.."
sleep 10
ip route add 192.168.16.1 via 192.168.70.1 dev eth0
ip route replace default dev ppp0
echo "Set up the firewall."
iptables-restore < /etc/network/IPTABLES_rules
# set up forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
-----------<
My question is: how to set up the DNAT with iptables in my case, so one
can to reach from the internet my apache2 server behind the firewall?
Any advices will be appreciated!
--
Regards, Paul Csányi
http://www.freewebs.com/csanyi-pal/index.htm