Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Iptables. Reaching your own public ips from internal network
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
arndawg
Tux's lil' helper
Tux's lil' helper


Joined: 02 Jun 2006
Posts: 97
PostPosted: Tue Aug 28, 2007 10:52 am    Post subject: Iptables. Reaching your own public ips from internal network Reply with quote
I have a firewall running iptables. One NIC connected to WAN with mulitple public IPs and one for the internal stuff. Typical config.

The problem is that i can't reach the public IPs from my internal network. Well, that's not 100% true. Because it will work sometimes, but most of the time it don't. The public ips are forwarded to internal computers.

Anyone know what to start looking at? I can't figure it out.
Back to top
View user's profile Send private message
mrbig4545
Tux's lil' helper
Tux's lil' helper


Joined: 03 Jun 2004
Posts: 124
PostPosted: Tue Aug 28, 2007 10:52 pm    Post subject: Reply with quote
Im not too sure if i can help, because i've only just set up itables, but ill give it a go :)

What's the output of
Code:
iptable-save


Mine looks like this, may help, im not really sure what most of it does, as it lots of differnt examples put together, but it works for me!
Code:

# Generated by iptables-save v1.3.8 on Tue Aug 28 23:53:33 2007
*mangle
:PREROUTING ACCEPT [40152712:21827734346]
:INPUT ACCEPT [737083:709600814]
:FORWARD ACCEPT [39419909:21118786947]
:OUTPUT ACCEPT [594614:257469123]
:POSTROUTING ACCEPT [40016055:21376998358]
COMMIT
# Completed on Tue Aug 28 23:53:33 2007
# Generated by iptables-save v1.3.8 on Tue Aug 28 23:53:33 2007
*nat
:PREROUTING ACCEPT [400594:34766539]
:POSTROUTING ACCEPT [353809:30956807]
:OUTPUT ACCEPT [10259:1692011]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Tue Aug 28 23:53:33 2007
# Generated by iptables-save v1.3.8 on Tue Aug 28 23:53:33 2007
*filter
:INPUT ACCEPT [172235:166656056]
:FORWARD ACCEPT [23:3548]
:OUTPUT ACCEPT [594633:257471663]
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i ppp0 -p icmp -j DROP
-A INPUT -i ppp0 -p udp -m udp --dport 0:15000 -j DROP
-A INPUT -i ppp0 -p tcp -m tcp --dport 0:15000 -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 10.0.0.0/255.255.255.0 -i br0 -j DROP
-A FORWARD -s 10.0.0.0/255.255.255.0 -i br0 -j ACCEPT
-A FORWARD -d 10.0.0.0/255.255.255.0 -i ppp0 -j ACCEPT
COMMIT
# Completed on Tue Aug 28 23:53:33 2007


with ppp0 being my internet connection, and br0 being my internal network
Back to top
View user's profile Send private message
embobo
Guru
Guru


Joined: 19 May 2003
Posts: 311
PostPosted: Tue Aug 28, 2007 11:26 pm    Post subject: Reply with quote
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html

Quote:

One way is to run an internal DNS server which knows the real (internal) IP address of your public web site, and forward all other requests to an external DNS server. This means that the logging on your web server will show the internal IP addresses correctly.

The other way is to have the NAT box also map the source IP address to its own for these connections, fooling the server into replying through it.


The problem with #2 is that the internal servers sees all the internal traffic as coming from the firewall which may screw up logging and ip-based security mechanisms.
Back to top
View user's profile Send private message
arndawg
Tux's lil' helper
Tux's lil' helper


Joined: 02 Jun 2006
Posts: 97
PostPosted: Wed Aug 29, 2007 7:50 am    Post subject: Reply with quote
embobo wrote:
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html

Quote:

One way is to run an internal DNS server which knows the real (internal) IP address of your public web site, and forward all other requests to an external DNS server. This means that the logging on your web server will show the internal IP addresses correctly.

The other way is to have the NAT box also map the source IP address to its own for these connections, fooling the server into replying through it.


The problem with #2 is that the internal servers sees all the internal traffic as coming from the firewall which may screw up logging and ip-based security mechanisms.


Thanks. Guess i just have to take the SNAT route. But the thing that bothers me is that it's totally random if it works or not. do you got an explation for that?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy