On Tuesday 25 January 2011 05:07 PM, Jorge Fábregas wrote: Thnx I'got your point replaced NAT with nat ... saved iptables wiht service iptable save but server is not forwarding the packets to the web server if i try http://xx.xx.xx.xx ( live ip ) .. .. no page is displayed what it could be ??? -- °v° /(_)\ ^ ^ Jatin Khatri Registerd Linux user No #501175 www.counter.li.org No M$

On Tuesday 25 January 2011 06:16 PM, Jorge Fábregas wrote: I've done the following [1] echo 1 > /proc/sys/net/ipv4/ip_forward ( enabled ip forwarding ) [2] iptables -A FORWARD -d 192.168.131.131 -p tcp --dport 80 -j ACCEPT [3] iptables -t nat -A PREROUTING -d xx.xx.xx.xx -p tcp --dport 80 -j DNAT --to-destination 192.168.131.131 port 80 is opened on the web server I'm able to access the web -page from internal systems as well as from the firewall it self through elinks but not able to access the web-page from Internet ( means firewall system is not forwarding the packets to the web server ) I've also tried following rule in firewall for SNAT iptables -t nat -A POSTROUTING -s 192.168.131.131 -j SNAT --to-source xx.xx.xx.xx but it fails what do I need to check further .... what other configuration do I need ?? Thnx -- °v° /(_)\ ^ ^ Jatin Khatri Registerd Linux user No #501175 www.counter.li.org No M$

On Tue, 2011-01-25 at 17:47 +0530, Jatin K wrote: To test the NAT rule, you'd have to make an incoming connection through that network. You could use an outside proxy. Or, you could go to one of the HTML validator sites, and ask it to validate your homepage. That's a simple check, without having to set up anything special. e.g. Visit http://validator.w3.org/ and give it the address to your website (your IP address that you've not being telling us). -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.

On Tue, 2011-01-25 at 19:33 +0530, Jatin K wrote: Then, you've got several things to think about: Firewall. Is it getting in the way, before or after the NAT rule? Is there something before your computer (e.g. a modem/router)? Does it need configuring to let it through. Is your webserver listening for connections on all interfaces? Once you get it going, I'd go back and refine your NAT rule. Do you want all ports to be NATed through, or just port 80? By way of example, I've just copied (below) a few rules that I have on an old Fedora box, back from when I was using dial-up. Those narrowed down connections to only TCP, particular TCP port numbers, particular interfaces, and/or particular source addresses. iptables --table nat --append PREROUTING --protocol tcp --destination-port 80 --jump DNAT --to-destination 192.168.1.1:80 iptables --table nat --append PREROUTING --protocol tcp --in-interface ppp+ --source 2.3.4.5 --destination-port 80 --jump DNAT --to-destination 192.168.1.1:80 iptables --table nat --append PREROUTING --protocol tcp --in-interface ppp+ --source 0.0.0.0/0 --destination-port 443 --jump DNAT --to-destination 192.168.1.6:443 -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.

On 01/25/2011 01:13 PM, Jatin K wrote: Ok, assuming your default policy is to drop, I think you'll need this rule: iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT I'm assuming eth1 is your internal interface (and eth0 your external WAN iface). This rule will allow the responses from your web-server to pass-thru your firewal... Also, if you leave all like this it won't work as you need to perform "Source NAT or Masquerade" for your 192.168.131.131 ip (if you don't...then it will leave your external interface as coming from 192.168.131.131 which of course is not valid ip for the internet). In order for your webserver send responses to a machine on the internet you need to masquerade its ip. You can do this with this: iptables -A POSTROUTING -o eth0 -s 192.168.131.0/24 -j MASQUERADE That is, all traffic that will go out thru eth0, if the source network is 192.168.131.0/24, then change the source ip to that of your eth0 (your WAN ip). Try that and see if works. HTH, Jorge

On Tue, 2011-01-25 at 22:43 +0530, Jatin K wrote: Okay, I've done something similar in the past: dial-up modem to gateway box (firewall and NAT), with a webserver on another box further inside the LAN. Looking through my old firewall configuration file, I had, on the firewall: default input rules set to drop default output rules set to allow input accept rule for this traffic temporary input log rule for this traffic (for debugging) input nat table prerouting rule for this traffic input accept state rule for established & related temporary input log state rule for established & related And, on the internal webserver: default input rules set to drop default output rules set to allow input accept rule for this traffic input accept state rule for established & related You can play around with putting log rules ahead of your accept and redirect rules, to see attempts that may or may not get through. And log rules after them, to show what did get through. And, since you're playing with NAT, the end of the firewall rule script would have something like: iptables --table nat --append POSTROUTING --out-interface ppp+ --jump MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward It's been a hell of a long time since I've had to do this, but I suspect your problem may be to do with firewall rules on the web server box, inside your LAN. External IP addresses disallowed through the LAN interface, perhaps? These days I do it all on the modem/router. Its firewall is up. It only allows through a webserver on occasions I'm temporarily running one (with a forwarding rule on the modem/router). All the client computers run their own firewalls. My public website is hosted externally. Where *they* have to deal with spam, security, uptime. And I don't have to keep a permanent IP, nor permanently running computer. -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.

On Tuesday 25 January 2011 10:44 PM, Tim wrote: no they do not .... I'm very sure about that -- °v° /(_)\ ^ ^ Jatin Khatri Registerd Linux user No #501175 www.counter.li.org No M$

On 01/25/2011 11:36 AM, Gene Heskett wrote: Or do what I do: host it at a third-party webhosting service.

On Wednesday 26 January 2011 01:06 AM, Gene Heskett wrote: I previously said that ..if I remove the firewall ....all the things works fine ... without any problem I don't think there is any problem regarding my ISP BTW .. I surprised that this kind of things/action can be take by the ISP -- °v° /(_)\ ^ ^ Jatin Khatri Registerd Linux user No #501175 www.counter.li.org No M$

On Wednesday 26 January 2011 10:21 PM, Tim wrote: Dear all I've got it working and it works like anything ... This[1] is the output of command service iptables status ---------[1]---------------------------------------------------------- Table: nat Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 DNAT all -- 0.0.0.0/0 xx.xx.xx.xx tcp dpt:80 to:192.168.131.131:80 2 DNAT all -- 0.0.0.0/0 192.168.131.133 tcp dpt:80 to:192.168.131.131:80 Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 MASQUERADE all -- 192.168.131.131/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination -- °v° /(_)\ ^ ^ Jatin Khatri Registerd Linux user No #501175 www.counter.li.org No M$

On Friday 28 January 2011 02:00 PM, Tim wrote: yes it is -- °v° /(_)\ ^ ^ Jatin Khatri Registerd Linux user No #501175 www.counter.li.org No M$

On Friday 28 January 2011 07:42 PM, Tim wrote: yes there is a linksys ADSL router ( with basic firewall ....with only port 80 is maped to internal port 80 ) basically that web server will be accessed by our remote branches users ( actually the web server is win2k3, our core application is published on it through IIS ) there are some policy for internal networks as well ... between the internal office department ( some departments on different subnets ) I've posted some part of iptables status ( to shorten the mail ) , there are some more policies , and at the end everything is rejected. Thnx Tim and all others for you input and suggestions -- °v° /(_)\ ^ ^ Jatin Khatri Registerd Linux user No #501175 www.counter.li.org No M$

On Friday 28 January 2011 04:37 PM, Jorge Fábregas wrote: that is corrected now ...... I came to know littlebit later Wow .... that I did not think about .... it must be only one host 192.168.131.131 ... I will correct it Thank you very much Jorge have a good day -- °v° /(_)\ ^ ^ Jatin Khatri Registerd Linux user No #501175 www.counter.li.org No M$

Jatin K <ssh.fedora <at> gmail.com> writes: On F14. Kernel configuration: $ less /boot/config-* search for NAT If configured as modules, see kernel modules: $ less /lib/modules/2.6.*/modules.dep search for nat (or nf_nat) Test: # modprobe nf_nat Other config files: # less /etc/sysconfig/iptables-config Also /proc fs. JB

On Tuesday, January 25, 2011 09:12:07 am Ian Pilcher wrote: Can the OP run wireshark and look for the packets? Also, if one does iptables -L -v -t nat -and- iptables -L -v before and after trying to send a packet from the Internet to his server, do the byte and packet counts for the nat iptables entries and the other iptables entries (for forwarding the packet) get incremented as expected?