Thursday, January 20, 2011

Linux IPTables / routing issue

Hi all,

EDIT 1/3/10 22:00 GMT - rewrote some of it after further investigation

It has been a while since I looked at IPtables and I seem to be worse than before as I can not seem to get my webserver online. Below is my firewall rules on the gateway server that is running the dhcp server accessing the net. The webserver is inside my network on a static IP (192.168.0.98, default port).

When I use Nmap or GRC.com I see that port 80 is open on the gateway server but when I browse to it, (via public URL. http://www.houseofhawkins.com) it always fails with a connection error, (nmap cannot connect and figure out what the web server is either).

I can nmap the webserver and browse to it just fine via same IP inside my network. I believe it is my IPTable rules that are not letting it through.

Internally I can route all my requests. Each machine can browse to the website and traffic works just fine. I can MSTSC / ssh to all the webservers internally and they inturn can connect to the web.

IPTABLE:

*EDIT - Added new firewall rules 2/3/10 *

#!/bin/sh

iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
depmod="/sbin/depmod"

EXTIF="eth2"
INTIF="eth1"

load () {

  $depmod -a

  $modprobe ip_tables
  $modprobe ip_conntrack
  $modprobe ip_conntrack_ftp
  $modprobe ip_conntrack_irc
  $modprobe iptable_nat
  $modprobe ip_nat_ftp

echo "enable forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "enable dynamic addr"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# start firewall

  # default policies
  $iptables -P INPUT DROP
  $iptables -F INPUT
  $iptables -P OUTPUT DROP
  $iptables -F OUTPUT
  $iptables -P FORWARD DROP
  $iptables -F FORWARD
  $iptables -t nat -F

#echo "   Opening loopback interface for socket based services."
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

#echo "   Allow all connections OUT and only existing and related ones IN"
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -o $EXTIF -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$iptables -A FORWARD -j LOG  --log-level 7 --log-prefix "Dropped by firewall: "

$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

#echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A OUTPUT -o $INTIF -j ACCEPT

#echo "   Allowing packets with ICMP data (i.e. ping)."
$iptables -A INPUT -p icmp -j ACCEPT
$iptables -A OUTPUT -p icmp -j ACCEPT

$iptables -A INPUT -p udp -i $INTIF --dport 67 -m state --state NEW -j ACCEPT

#echo "   Port 137 is for NetBIOS."
$iptables -A INPUT -i $INTIF -p udp --dport 137 -j ACCEPT
$iptables -A OUTPUT -o $INTIF -p udp --dport 137 -j ACCEPT

#echo "   Opening port 53 for DNS queries."
$iptables -A INPUT -p udp -i $EXTIF --sport 53 -j ACCEPT

#echo "   opening Apache webserver"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.0.96:80
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.0.96 --dport 80 -j ACCEPT

}

flush () {

   echo "flushing rules..." $iptables -P FORWARD ACCEPT
   $iptables -F INPUT
   $iptables -P INPUT ACCEPT
   echo "rules flushed"

}

case "$1" in

   start|restart)
     flush
     load
     ;;
   stop)
     flush
     ;;
*)
    echo "usage: start|stop|restart."
    ;;

esac
exit 0

route info:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
5e0412a6.bb.sky *               255.255.255.255 UH    0      0        0 eth2
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
default         5e0412a6.bb.sky 0.0.0.0         UG    100    0        0 eth2

ifconfig:

eth1      Link encap:Ethernet  HWaddr 00:22:b0:cf:4a:1c
      inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
      inet6 addr: fe80::222:b0ff:fecf:4a1c/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:79023 errors:0 dropped:0 overruns:0 frame:0
      TX packets:57786 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:11580918 (11.5 MB)  TX bytes:22872030 (22.8 MB)
      Interrupt:17 Base address:0x2b00

eth2      Link encap:Ethernet  HWaddr 00:0c:f1:7c:45:5b
      inet addr:94.4.18.166  Bcast:94.4.18.166  Mask:255.255.255.255
      inet6 addr: fe80::20c:f1ff:fe7c:455b/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:57038 errors:0 dropped:0 overruns:0 frame:0
      TX packets:34532 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:21631721 (21.6 MB)  TX bytes:7685444 (7.6 MB)

lo        Link encap:Local Loopback
      inet addr:127.0.0.1  Mask:255.0.0.0
      inet6 addr: ::1/128 Scope:Host
      UP LOOPBACK RUNNING  MTU:16436  Metric:1
      RX packets:16 errors:0 dropped:0 overruns:0 frame:0
      TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:1517 (1.5 KB)  TX bytes:1517 (1.5 KB)

EDIT

OK so as requested I will try and expand on my infrastructure:

I previously had it setup with a Sky broadband modem router that did the DHCP and I used its web interface to port forward the web across to the web server. The network looked something like this:

Layout Graphic

I have now replaced the sky modem with a dlink modem which gives the IP to the gateway server that now does the DHCP. It looks like:

Layout Graphic

The internet connection is a standard broadband connection with a dynamic IP, (use zoneedit.com to keep it updated).

I have tried it on each of the webservers(one Ubuntu Apache server and one WS2008 IIS7).

I think there must also be an issue with my IPTable rules as it can route to my win7 box which has the default IIS7 page and that would not display when I forwarded all port 80 to it.

I would be really grateful for any and all help with this.

Thanks

Jon

  • Please describe in detail how all your servers are physically connected including ethernet cable routing and any switch configuration.

    You may have issues using network address translation via your gateway, as it's daisy-chained to a router. What sort of router? What sort of Internet connection? Can you connect your gateway directly to the Internet? It should be the primary router.

    Regardless, we should be able to isolate the cause of the communication issue with your gateway and Web server.

    Do you have any firewall rules on your Web server? Please verify and be certain.

    What does the routing table and interface list look like on your Web server?

    Enable logging for easier debugging:

    $iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
    $iptables -A OUTPUT -j LOG -log-level 7 --log-prefix "Dropped by firewall: "
    


    Edit 1

    Thanks for the update and diagrams. Good stuff. I'm not certain that I understand the difference in performance between the IIS and Apache server. Can both be contacted via the gateway on port 80?

    Have you added the logging statements? That will help.

    I will review everything in detail again later this evening.

    Edit 2

    Oh, it sounds like the DNAT doesn't work. Previously, it read like you were having trouble communicating internally between your gateway and your Web servers as well.

    Try replacing:

    $iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.0.98:80 $iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.0.98 --dport 80 -j ACCEPT

    With:

    $iptables -A PREROUTING -t nat -p tcp -d 94.4.18.166 --dport 80 -j DNAT --to-destination 192.168.0.98:80

    Edit 3

    Script it. For example:

    EXTIP=`/sbin/ifconfig $EXTINT | grep 'inet addr' |awk '{print $2}' | sed 's/addr://g'`
    $iptables -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to-destination 192.168.0.98:80`
    

    Any additional logic can be added based on whatever desired performance.

    Jon : added logging and pics / description of network.
    Jon : Hi Warner, added the two log statements in. Not sure where it records the logging in the system. couldn't find anything saying "Dropped by firewall:" Thanks for the help, very grateful. Have updated my post with new info.
    Jon : Hi Warner, I am worried that this solution may work at the moment but I have a dynamic public IP and when that changed the firewalls would break again.
    Jon : oh that's clever!!!! (will look at that tonight). I think I might have found something out, (at work atm), but it would seem the site is working from outside my home network, but no one is home to test if it is working side network. I am guessing that there is something happening from inside my network that is stopping the routing working correctly, but from the outside world it works fine. Will have to check and confirm this tonight.
    Warner : It wasn't last night but is now. I suspect you changed the rules?
    Jon : I will have to double check and repost the new rule set. I was working through a number of sites checking what may have wrong. Thanks for all the help, very grateful. :)
    Warner : You're welcome! Just don't forget to rate/accept, please.
    Jon : OK, updated firewall rules. Thought I would install gnome desktop on server just to see what the browser can do from there and it can see the internal webserver.
    From Warner

0 comments:

Post a Comment