FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 01-25-2011, 04:39 PM
Jatin K
 
Default iptables and NAT

On Tuesday 25 January 2011 10:44 PM, Tim wrote:
> On Wed, 2011-01-26 at 01:13 +1030, Tim wrote:
>> Then, you've got several things to think about:
> Another one: Does your ISP block remote access to port 80.
>

no they do not .... I'm very sure about that

> I forgot about that, lots of ISPs do that.
>
>


--
°v°
/(_)
^ ^ Jatin Khatri
Registerd Linux user No #501175
www.counter.li.org
No M$

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 01-25-2011, 06:27 PM
Gene Heskett
 
Default iptables and NAT

On Tuesday, January 25, 2011 02:26:02 pm Tim did opine:

> On Wed, 2011-01-26 at 01:13 +1030, Tim wrote:
> > Then, you've got several things to think about:
> Another one: Does your ISP block remote access to port 80.
>
> I forgot about that, lots of ISPs do that.

Which is why I have a :85 in my web pages address.

--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Bore, n.:
A guy who wraps up a two-minute idea in a two-hour vocabulary.
-- Walter Winchell
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 01-25-2011, 06:36 PM
Gene Heskett
 
Default iptables and NAT

On Tuesday, January 25, 2011 02:28:15 pm Jatin K did opine:

> On Tuesday 25 January 2011 10:44 PM, Tim wrote:
> > On Wed, 2011-01-26 at 01:13 +1030, Tim wrote:
> >> Then, you've got several things to think about:
> > Another one: Does your ISP block remote access to port 80.
>
> no they do not .... I'm very sure about that

It is far more common than the uninformed "experts" such as you think.
They block only the incoming port 80's so that if Joe & Judy Lunchbucket
want a web page, they have to use the ISP's servers, which the ISP then
wraps in advertising for additional revenue.

Don't believe it?, then try <http://gene.homelinux.net/gene>
Nothing, it is blocked. No ISP will admit to it because it would cost them
their 'common carrier' status at the FCC. I'll leave it to you to figure
out how to get around that block. There is a machine there, this one.

>
> > I forgot about that, lots of ISPs do that.


--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Bore, n.:
A guy who wraps up a two-minute idea in a two-hour vocabulary.
-- Walter Winchell
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 01-25-2011, 10:14 PM
Jorge Fábregas
 
Default iptables and NAT

On 01/25/2011 01:13 PM, Jatin K wrote:
> iptables -t nat -A PREROUTING -d xx.xx.xx.xx -t tpc --dport 80 -j DNAT
> --to-destination 192.168.131.131

Ok, assuming your default policy is to drop, I think you'll need this rule:

iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

I'm assuming eth1 is your internal interface (and eth0 your external WAN
iface). This rule will allow the responses from your web-server to
pass-thru your firewal...

Also, if you leave all like this it won't work as you need to perform
"Source NAT or Masquerade" for your 192.168.131.131 ip (if you
don't...then it will leave your external interface as coming from
192.168.131.131 which of course is not valid ip for the internet). In
order for your webserver send responses to a machine on the internet you
need to masquerade its ip. You can do this with this:

iptables -A POSTROUTING -o eth0 -s 192.168.131.0/24 -j MASQUERADE

That is, all traffic that will go out thru eth0, if the source network
is 192.168.131.0/24, then change the source ip to that of your eth0
(your WAN ip).

Try that and see if works.

HTH,
Jorge
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 01-26-2011, 12:35 AM
Joe Zeff
 
Default iptables and NAT

On 01/25/2011 11:36 AM, Gene Heskett wrote:
> They block only the incoming port 80's so that if Joe& Judy Lunchbucket
> want a web page, they have to use the ISP's servers, which the ISP then
> wraps in advertising for additional revenue.

Or do what I do: host it at a third-party webhosting service.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 01-26-2011, 12:41 AM
Gene Heskett
 
Default iptables and NAT

On Tuesday, January 25, 2011 08:40:02 pm Joe Zeff did opine:

> On 01/25/2011 11:36 AM, Gene Heskett wrote:
> > They block only the incoming port 80's so that if Joe& Judy
> > Lunchbucket want a web page, they have to use the ISP's servers,
> > which the ISP then wraps in advertising for additional revenue.
>
> Or do what I do: host it at a third-party webhosting service.

Which still leaves it far more difficult to control. Its mine, the pix are
mine and it all disappears if I want it to.

--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
It's not an optical illusion, it just looks like one.
-- Phil White
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 01-26-2011, 03:27 AM
Tim
 
Default iptables and NAT

On Tue, 2011-01-25 at 22:43 +0530, Jatin K wrote:
> setup is like ADSL----> NIC 1 of firewall NIC 2 connects to the
> webserver
>
> if any request arrives to live ip on ADSL Router it sends it to the
> firewall ( I've tested it by running httpd on firewall and it works
> fine )

Okay, I've done something similar in the past:

dial-up modem to gateway box (firewall and NAT), with a webserver on
another box further inside the LAN.

Looking through my old firewall configuration file, I had, on the
firewall:

default input rules set to drop
default output rules set to allow
input accept rule for this traffic
temporary input log rule for this traffic (for debugging)
input nat table prerouting rule for this traffic
input accept state rule for established & related
temporary input log state rule for established & related

And, on the internal webserver:

default input rules set to drop
default output rules set to allow
input accept rule for this traffic
input accept state rule for established & related

You can play around with putting log rules ahead of your accept and
redirect rules, to see attempts that may or may not get through. And
log rules after them, to show what did get through.

And, since you're playing with NAT, the end of the firewall rule script
would have something like:

iptables --table nat --append POSTROUTING --out-interface ppp+ --jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

It's been a hell of a long time since I've had to do this, but I suspect
your problem may be to do with firewall rules on the web server box,
inside your LAN. External IP addresses disallowed through the LAN
interface, perhaps?

These days I do it all on the modem/router. Its firewall is up. It
only allows through a webserver on occasions I'm temporarily running one
(with a forwarding rule on the modem/router). All the client computers
run their own firewalls.

My public website is hosted externally. Where *they* have to deal with
spam, security, uptime. And I don't have to keep a permanent IP, nor
permanently running computer.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 01-26-2011, 02:49 PM
Jatin K
 
Default iptables and NAT

On Wednesday 26 January 2011 04:44 AM, Jorge Fábregas wrote:
> On 01/25/2011 01:13 PM, Jatin K wrote:
>> iptables -t nat -A PREROUTING -d xx.xx.xx.xx -t tpc --dport 80 -j DNAT
>> --to-destination 192.168.131.131
> Ok, assuming your default policy is to drop, I think you'll need this rule:
>
> iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> I'm assuming eth1 is your internal interface (and eth0 your external WAN
> iface). This rule will allow the responses from your web-server to
> pass-thru your firewal...
>
> Also, if you leave all like this it won't work as you need to perform
> "Source NAT or Masquerade" for your 192.168.131.131 ip (if you
> don't...then it will leave your external interface as coming from
> 192.168.131.131 which of course is not valid ip for the internet). In
> order for your webserver send responses to a machine on the internet you
> need to masquerade its ip. You can do this with this:
>
> iptables -A POSTROUTING -o eth0 -s 192.168.131.0/24 -j MASQUERADE

I've not tried this .... thanx for suggestion

I will try it and let the list know
> That is, all traffic that will go out thru eth0, if the source network
> is 192.168.131.0/24, then change the source ip to that of your eth0
> (your WAN ip).
>
> Try that and see if works.
>
> HTH,
> Jorge


--
°v°
/(_)
^ ^ Jatin Khatri
Registerd Linux user No #501175
www.counter.li.org
No M$

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 01-26-2011, 02:57 PM
Jatin K
 
Default iptables and NAT

On Wednesday 26 January 2011 01:06 AM, Gene Heskett wrote:
> On Tuesday, January 25, 2011 02:28:15 pm Jatin K did opine:
>
>> On Tuesday 25 January 2011 10:44 PM, Tim wrote:
>>> On Wed, 2011-01-26 at 01:13 +1030, Tim wrote:
>>>> Then, you've got several things to think about:
>>> Another one: Does your ISP block remote access to port 80.
>> no they do not .... I'm very sure about that
> It is far more common than the uninformed "experts" such as you think.
> They block only the incoming port 80's so that if Joe& Judy Lunchbucket
> want a web page, they have to use the ISP's servers, which the ISP then
> wraps in advertising for additional revenue.
I previously said that ..if I remove the firewall ....all the things
works fine ... without any problem

I don't think there is any problem regarding my ISP

BTW .. I surprised that this kind of things/action can be take by the ISP


> Don't believe it?, then try<http://gene.homelinux.net/gene>
> Nothing, it is blocked. No ISP will admit to it because it would cost them
> their 'common carrier' status at the FCC. I'll leave it to you to figure
> out how to get around that block. There is a machine there, this one.
>
>>> I forgot about that, lots of ISPs do that.
>


--
°v°
/(_)
^ ^ Jatin Khatri
Registerd Linux user No #501175
www.counter.li.org
No M$

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 01-26-2011, 03:51 PM
Tim
 
Default iptables and NAT

On Wed, 2011-01-26 at 21:27 +0530, Jatin K wrote:
> I surprised that this kind of things/action can be take by the ISP

Over here, in Australia...

Some ISPs block port 80 by default, though you may enable it. I seem to
recall that was an ISP-reaction to a worm.

Some ISPs block port 80, unless you pay extra for a business account.
Partially as a way for them to get more money out of you, partially
because their usual consumer configuration is designed more for traffic
flowing in the other direction.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 02:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org