HTTP SERVER ON FORWARDED MACHINE

From: JoeAley2003 (joealey2003_at_yahoo.com)
Date: 08/23/04

• Next message: John-Paul Stewart: "Re: HTTP SERVER ON FORWARDED MACHINE"
• Previous message: Peter Hille: "Re: iptables with multiple vpn connection"
• Next in thread: John-Paul Stewart: "Re: HTTP SERVER ON FORWARDED MACHINE"
• Reply: John-Paul Stewart: "Re: HTTP SERVER ON FORWARDED MACHINE"
• Reply: Jose Maria Lopez Hernandez: "Re: HTTP SERVER ON FORWARDED MACHINE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 23 Aug 2004 07:55:04 -0700

Hi all...

 I have a redhat linux 9 connected to the internet and 1 computer that
receives internet forwarded from the linux.

 What i need is to run a valid on internet http server on this
forwarded computer where i run apache on port 80.

 Anyone can help with iptables or anything? I know that a transparent
proxy is very similar, but it doesn't work.

 Here goes my script anyway...

//////////////////////////////

#! /bin/sh
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
IFACE_INTERNET=eth0
IFACE_LOCALLAN=eth2
IFACE_LOCALLAN_2=eth1

############################ SETTING UP IP ADDRESS
###########################

########################## ETH 0 #################

if=`ifconfig $ife 2>/dev/null | grep 'inet ' | sed s/[[:alpha:]:]//g |
gawk '{ print $1"/"$3" "$2 }'`
 if [ ! "$if" ]; then
  echo -e "Error: Interface $ife is down - failed to initialize"
  exit 1
 fi;

 IP_INTERNET=`echo $if | cut -f1 -d'/'`
 BROADCAST_INTERNET=`echo $if | cut -f2 -d' '`
 NET_INTERNET=`echo $if | cut -f1 -d' '`
 
########################## ETH 1 & ETH 2 #################

 #ife2=`echo $ife | cut -f1 -d:` # cut off alias

 #declare -i c=0
 #for i in $ifi; do
# if=`ifconfig $i 2>/dev/null | grep 'inet ' | sed s/[[:alpha:]:]//g
| gawk '{ print $1"/"$3" "$2 }'`
# if [ ! "$if" ]; then
# echo -e "Error: Interface $i is down - failed to initialize"
# exit 1
# fi;
  
    
         
  #lan_if_ip[$c]=`echo $if | cut -f1 -d'/'`
  #lan_if_bc[$c]=`echo $if | cut -f2 -d' '`
  #local_net[$c]=`echo $if | cut -f1 -d' '`
  
  
# ((c=c+1))
# done;

#IP_INTERNET=200.167.253.63
#BROADCAST_INTERNET=200.167.253.255

IP_LOCALLAN=194.168.0.1
IP_LOCALLAN_2=193.168.0.1

SUBNET_LOCALLAN=194.168.0.0/24
SUBNET_LOCALLAN_2=193.168.0.0/24
BROADCAST_LOCALLAN=194.168.0.255
BROADCAST_LOCALLAN_2=193.168.0.255

########################### END SETTING UP NET ADDRESSES
#####################

#
# (0) Flush existing stuff
#
$IPTABLES --flush
$IPTABLES --table nat --flush
$IPTABLES --delete-chain
$IPTABLES --table nat --delete-chain
#
# (a) Start connection tracking
#
$MODPROBE ip_tables
$MODPROBE ip_conntrack
$MODPROBE iptable_filter
$MODPROBE iptable_mangle
$MODPROBE iptable_nat
$MODPROBE ipt_LOG
$MODPROBE ipt_limit
$MODPROBE ipt_state
$MODPROBE ipt_MASQUERADE
#
# (1) Policies (default)
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# (2) User-defined chain for ACCEPTed TCP packets
#
#### $IPTABLES -N okay
#### $IPTABLES -A okay -p TCP --syn -j ACCEPT
#### $IPTABLES -A okay -p TCP -m state --state ESTABLISHED,RELATED -j
ACCEPT
#### $IPTABLES -A okay -p TCP -j DROP
#
# (log)
#
$IPTABLES -N log
#
# (3) INPUT chain rules
#
#allow this stuff before we log:
$IPTABLES -A INPUT -p ALL -i $IFACE_LOCALLAN -s $SUBNET_LOCALLAN -j
ACCEPT
$IPTABLES -A INPUT -p ALL -i $IFACE_LOCALLAN_2 -s $SUBNET_LOCALLAN_2
-j ACCEPT
$IPTABLES -A INPUT -p ALL -i $IFACE_INTERNET -m state --state
ESTABLISHED,RELATED -j ACCEPT

######################################$IPTABLES -A INPUT -p UDP -m udp
--sport 67 --dport 68 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $IFACE_INTERNET -d $BROADCAST_LOCALLAN -j
ACCEPT
$IPTABLES -A INPUT -p ALL -i $IFACE_INTERNET -d $BROADCAST_LOCALLAN_2
-j ACCEPT

#drop this stuff before we log:
#### $IPTABLES -A INPUT -p udp -i $IFACE_INTERNET -d
$BROADCAST_INTERNET -j DROP
#### $IPTABLES -A INPUT -p udp -i $IFACE_INTERNET -m udp --dport 53 -j
DROP
#send this off to be logged:
#COARSE:
#### $IPTABLES -A INPUT -p TCP -m tcp --dport 0:1023 -m state --state
NEW -j LOG --log-prefix "LOW PORT TCP CONNECTION:"
#### $IPTABLES -A INPUT -p UDP -m udp --dport 0:1023 -m state --state
NEW -j LOG --log-prefix "LOW PORT UDP CONNECTION:"
#FINE:
#### $IPTABLES -A INPUT -p TCP -m state --state NEW -m tcp --dport
1024:65535 -j LOG --log-prefix "HIGH PORT TCP CONNECTION:"
#### $IPTABLES -A INPUT -p UDP -m state --state NEW -m udp --dport
1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:"
#### $IPTABLES -A INPUT -p TCP -m tcp ! --tcp-flags SYN,RST,ACK SYN
-m state --state NEW -j LOG --log-prefix "NEW NOT SYN:"
#Rules for incoming packets from the Internet
#### $IPTABLES -A INPUT -p TCP -i $IFACE_INTERNET -s 0/0 --dport 22 -j
okay
#
# (4) FORWARD chain rules
#
#Accept the packets we want to forward
#### $IPTABLES -A FORWARD -p TCP -m tcp -o $IFACE_INTERNET -m state
--state NEW -j LOG --log-prefix "OUTGOING TCP CONNECTION:"
#### $IPTABLES -A FORWARD -p UDP -m udp -o $IFACE_INTERNET -m state
--state NEW -j LOG --log-prefix "OUTGOING UDP CONNECTION:"
$IPTABLES -A FORWARD -i $IFACE_LOCALLAN -j ACCEPT
$IPTABLES -A FORWARD -i $IFACE_LOCALLAN_2 -j ACCEPT

$IPTABLES -A FORWARD -i $IFACE_INTERNET -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# (5) OUTPUT chain rules
#Only output packets with local addresses (no spoofing)
$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $IP_LOCALLAN -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $IP_LOCALLAN_2 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $IP_INTERNET -j ACCEPT
# (6) POSTROUTING chain rules
$IPTABLES -t nat -A POSTROUTING -o $IFACE_INTERNET -j MASQUERADE
#########################
# PORT 21##
#########################
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 20:21 -j ACCEPT
#########################

echo -e "Done!"

---

• Next message: John-Paul Stewart: "Re: HTTP SERVER ON FORWARDED MACHINE"
• Previous message: Peter Hille: "Re: iptables with multiple vpn connection"
• Next in thread: John-Paul Stewart: "Re: HTTP SERVER ON FORWARDED MACHINE"
• Reply: John-Paul Stewart: "Re: HTTP SERVER ON FORWARDED MACHINE"
• Reply: Jose Maria Lopez Hernandez: "Re: HTTP SERVER ON FORWARDED MACHINE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages HTTP SERVER ON FORWARDED MACHINE ... receives internet forwarded from the linux. ... Anyone can help with iptables or anything? ... $MODPROBE ip_conntrack ... # FORWARD chain rules ... (comp.os.linux.misc) HTTP SERVER ON FORWARDED MACHINE ... receives internet forwarded from the linux. ... Anyone can help with iptables or anything? ... $MODPROBE ip_conntrack ... # FORWARD chain rules ... (comp.os.linux) HTTP SERVER ON FORWARDED MACHINE ... receives internet forwarded from the linux. ... Anyone can help with iptables or anything? ... $MODPROBE ip_conntrack ... # FORWARD chain rules ... (comp.security.firewalls) HTTP SERVER ON FORWARDED MACHINE ... receives internet forwarded from the linux. ... Anyone can help with iptables or anything? ... $MODPROBE ip_conntrack ... # FORWARD chain rules ... (comp.os.linux.networking) Re: IPTABLES Beginner Example Needed! ... after i runned this script nothing works on my computer. ... > I think i just need the translation to iptables. ... $MODPROBE ip_conntrack ... # FORWARD chain rules ... (linux.redhat)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2004-08