Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: allowing incoming http requests-iptables-red hat 9.0

  1. #1
    Junior Member
    Join Date
    Mar 2006
    Posts
    57

    allowing incoming http requests-iptables-red hat 9.0

    I have linux iptables firewall on red hat 9.0 .

    I have a linux apache server on a private ip 192.168.0.5.I need to access the server from outside via our public ip.

    i have given the following code.

    EXTR=Public ip
    WEB_SRV=192.168.0.5

    #Incoming HTTP Requests:
    iptables -t nat -A PREROUTING -i $EXTR -p tcp --dport 80 -j DNAT --to-destination $WEB_SRV:80
    iptables -t nat -A PREROUTING -i $EXTR -p udp --dport 80 -j DNAT --to-destination $WEB_SRV:80

    I ran the iptables with the above code ,but it dosen't output any error.

    any inputs please

  2. #2
    Moderator
    Advisor
    redhead's Avatar
    Join Date
    Jun 2001
    Location
    Copenhagen, Denmark
    Posts
    811
    Try with something like this:
    Code:
     iptables -t nat -A PREROUTING -i $EXTR -p tcp --dport 80 -j DNAT --to $WEB_SRV
    No need to rewrite the destination port, if you're interested I once made a small firewall script, I dont use it now, but occasionaly I look at it, since it holds quite alot of description for varius iptables rules.

    Perhaps it will give you a few hints.
    Don't worry Ma'am. We're university students, - We know what We're doing.
    'Ruiat coelum, fiat voluntas tua.'
    Datalogi - en livsstil; Intet liv, ingen stil.

  3. #3
    Junior Member
    Join Date
    Mar 2006
    Posts
    57
    good.i will go thru ur script and the code.thks

  4. #4
    Junior Member
    Join Date
    Mar 2006
    Posts
    57
    i tried

    iptables -t nat -A PREROUTING -i $EXTR -p tcp --dport 80 -j DNAT --to $WEB_SRV

    and also

    iptables -t nat -A PREROUTING -i $EXTR -p tcp --dport 80 -j DNAT --to $WEB_SRV:80

    but still i can't access

    If i type the external ip address in IE ,i can't access my internal web server.

    i can ping my external ip.I tried this from another internet connection and not thru my local lan,as that won't work..


    Do i need to specify any other commands prior or before to the DNAT command.

    When i run iptables i dont get any error.

  5. #5
    Moderator
    Advisor
    redhead's Avatar
    Join Date
    Jun 2001
    Location
    Copenhagen, Denmark
    Posts
    811
    Could this be your ISP blocking connections on port 80 ?? Just as a small test, do something like:
    Code:
    iptables -t nat -A PREROUTING -i $EXTR -p tcp --dport 8080 -j DNAT --to $WEB_SRV:80
    to see if you can get connected through port 8080 to your internal webserver...
    When i run iptables i dont get any error.
    does an examination of your iptable filters show any packages cought by that rule ? ie:
    > iptables -t nat -v -L PREROUTING
    Where it will show in the pkts and bytes column.
    Don't worry Ma'am. We're university students, - We know what We're doing.
    'Ruiat coelum, fiat voluntas tua.'
    Datalogi - en livsstil; Intet liv, ingen stil.

  6. #6
    Junior Member
    Join Date
    Mar 2006
    Posts
    57
    thks.i will try and let u know.

    by the way i don't think port 80 is blocked ,since all the users can assess internet,.

    as u had mentioned abt port 8080 ,shouldi change it port 8080 in my apache server.

    One more thing i wanted to know.Is it possible for me via iptables to track the Local ip addresses and the sites they visit ..

  7. #7
    Junior Member
    Join Date
    Mar 2006
    Posts
    57
    i tried
    iptables -t nat -A PREROUTING -i $EXTR -p tcp --dport 8080 -j DNAT --to $WEB_SRV:80

    but still i can't access.I can ping my public ip ....
    *********************
    i ran the code ... iptables -t nat -v -L PREROUTING,the output is as below before changing it to the above code..

    Chain PREROUTING (policy ACCEPT 70137 packets, 6275K bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT tcp -- 202.148.36.6 any anywhere anywhere tcp dpt:http to:192.168.1.5

    ***
    note i have changed the public ip to 202.148.36.6 ... to some fictitious value for displaying this output to u ,for security reasons..
    ******
    After i inserted the code ....
    iptables -t nat -A PREROUTING -i $EXTR -p tcp --dport 8080 -j DNAT --to $WEB_SRV:80................ below is the output...

    Chain PREROUTING (policy ACCEPT 1181 packets, 75525 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT tcp -- eth1 any anywhere anywhere tcp dpt:webcache to:192.168.1.5:80
    .

  8. #8
    Moderator
    Advisor
    redhead's Avatar
    Join Date
    Jun 2001
    Location
    Copenhagen, Denmark
    Posts
    811
    You dont need to change any setting in your apache/web server, the beauty of iptables is that now it will redirect any connections from teh outside on port 8080 to your webserver on it's port 80..
    To try it out, just try and access your IP through port 8080 from teh outside, if that goes through, then your ISP is blocking port 80..
    One more thing i wanted to know.Is it possible for me via iptables to track the Local ip addresses and the sites they visit ..
    You can log any outgoing connection in state NEW which has destination on port 80.. Then you can see which IPs they try.. But for contence logging iptables isn't usefull...
    by the way i don't think port 80 is blocked ,since all the users can assess internet,.
    If your ISP is blocking ingoing connections on port 80, it will not interfere with your users outgoing connections to anywhere on port 80...
    Since your iptables arent showing any packages recieved in the mentioned rule, then there arent any attempts which makes it that far..
    Since you can ping your IP, it isn't even proof that you have connection to your firewall from the outside..
    Some ISPs sends a phony response on ping requests, so to try it out, you need to somehow get connected, either through some form of web access, or you could try ssh connection from the outside, if that becomes a success, then you know atleast the port tried is opened..

    Else use an online port scanner, personaly I like this one, to see which ports might be blocked or opened...
    This is also a good way to test if your firewall is blocking and opening the ports you want it to.
    Don't worry Ma'am. We're university students, - We know what We're doing.
    'Ruiat coelum, fiat voluntas tua.'
    Datalogi - en livsstil; Intet liv, ingen stil.

  9. #9
    Junior Member
    Join Date
    Mar 2006
    Posts
    57
    hi
    thks for the same.I will try the same and let u know.U seem to have a expert knowledge on linux.I had posted some queries on the below mentioned subject ,but havn't rcvd any +ve replies.Can u help me out.


    ******
    I have to back up data on a cd in red hat linux enterprise edition 4.I havnt tried it and wanted to backup it up automatically.Is there any software aviable

    ************
    the same server is not connected to internet and i wanted to install an antivirus and manually update it.I tried installing avd but it asks for the dependency

    pygtk2.0.0 ,whereas pygtk2.6.0 installed.


    do u know of anyother antivirus which will be installed via root and manually update it.

  10. #10
    Junior Member
    Join Date
    Mar 2006
    Posts
    57
    for the cdrecording ,i came across cdrecord and mkisofs commands .

    But as these are for a apllication i cant make the users use these commands.Plus i also need to restore it back .

    Is there any tool or package avialble in linux ,which will do the above in root mode..
    *****************
    i tried loading avg antivirus in red hat linux 4 ,but it asks for 2 files

    pygtk2-2.0.0-1 RPM for i386
    pygtk2-libglade-2.0.0-1 RPM for i386

    i tried downloading but wasn't successful .do u know of any other sites
    **

Similar Threads

  1. How to forward local HTTP requests to remote Proxy with IPTables ?
    By asdamha in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 05-12-2011, 11:51 AM
  2. iptables http forwarding problem
    By sirstan in forum Security
    Replies: 1
    Last Post: 04-23-2008, 11:24 AM
  3. Problem recving HTTP requests when Apache listens on port 80
    By hecter in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 10-30-2004, 05:27 AM
  4. IPTABLES: block ALL incoming and outgoing except...
    By Blaqb0x in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 07-06-2004, 03:17 AM
  5. SSH Not allowing users to login?
    By Rastar in forum Linux - Hardware, Networking & Security
    Replies: 9
    Last Post: 05-08-2003, 06:12 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •