Heres the situation...

Im using a linux box as a router for my network with limited success. I have one static ip address and i need to forward all http requests to my web server on my internal network at 192.168.0.10

Ive read all the tutorials and i thought my firewall was set up properly but i still can not connect to my web server from outside my network.

Im posting my script. If anyone can spot the problem id appreciate it.

Heres the script in case some people dont want to dl it.


#!/bin/bash
#
# rc.firewall -
#
################################################## ###############################
# 1. Configuration Options
#

#
# 1.1 Internet Configuration.
#

INET_IP="xx.xx.xx.xxx"
INET_IFACE="eth0"
INET_BROADCAST="xx.xx.xx.xxx"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network
#

LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"
LAN_IFACE="eth1"
DNS_IP="192.168.0.10"
HTTP_IP="192.168.0.10"
FTP_IP="192.168.0.10"

#
# 1.3 DMZ Configuration
#

#
# 1.4 Localhost Configuration
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 iptables configuration
#

IPTABLES="/sbin/iptables"

################################################## ###############################
# 2.Load extra modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ipt_nat_ftp
/sbin/modprobe ip_nat_irc
################################################## #############################o#
# 3. /proc setup
#

#
# 3.1 Required proc information
#

echo "1" > /proc/sys/net/ipv4/ip_forward
#
# 3.2 routing setup
#

################################################## ###############################
# 4. rules setup
#

######
# Filter table
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create user specified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create seperate chains for ICMP, TCP, and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in user specified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 20 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 23 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5273 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 7002 -j allowed

# UDP ports
#

$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 20 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 21 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 27015 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 27010 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 27012 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT
#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we dont want
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
#
# special rules for DHCP
#
#
# Rules for incoming packets from the internet
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Log weird packets that dont match above
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we dont want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that dont match the above
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we dont want
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's allow
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that dont match above
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \--log-level DEBUG --log-prefix "IPT OUTPUT packed died: "

######
# 4.2 nat tables
#


#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 80 -j DNAT \--to-destination $HTTP_IP

#
# 4.2.5 POSTROUTING chain
#

$IPTABLES -t nat -A POSTROUTING -p tcp --dst $HTTP_IP --dport 80 -j SNAT \--to-source $LAN_IP
#
# Enable simple IP Forwarding and Network Address Translation
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

When you copied this file, you included the forward slashes that were placed so the newline characters would be ignored. It looks good, just pull the forward slashes out.

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \-j ACCEPT

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \--log-level DEBUG --log-prefix "IPT INPUT packet died: "

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 80 -j DNAT \--to-destination $HTTP_IP




Example, the last line should be:

$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 80 -j DNAT --to-destination $HTTP_IP

thanks je_fro

ill give it a try right now.

what is the signifigance of those slashes. I just ask because thats the way the example showed to put them in the tutorial i read.

oh i see..
they represent a newline.
sorry im not thinkin straight right now.

As the author was typing along, he wanted to \
keep everything on one skinny page , so he \
would put an escape character before he hit \
RETURN and people could then just copy and \
paste the script and it would work fine unless \
someone edited out the RETURN characters.


That's a pretty good script, though. I got pieces of my 'wall from it, but I lost the link. Can you post the link it came from?

Yeah..

its part of a tutorial that i found helpful...
Its at the very end of the page.

http://iptables-tutorial.frozentux.net/iptables-tutorial.html