iptables help
Nathan England
nathan at paysonlinux.org
Fri Apr 29 09:33:44 MST 2011
Thank you greatly for the help! I resolved it. One of my lines was
mistyped, and when I found it I promptly deleted it! Then realized I
should have posted it so everyone would know what the offending line
was... sorry.
It was a proper line, but the system would work until I entered that
rule in, then all would stop. Oh well, it works now! Thanks again!
On Thu, Apr 28, 2011 at 7:40 PM, Lisa Kachold <lisakachold at obnosis.com> wrote:
> Hey Nathan,
>
> Howzit goin?
>
> Here's that "love":
>
> On Thu, Apr 28, 2011 at 5:41 PM, Nathan England <nathan at paysonlinux.org>
> wrote:
>>
>> I'm running a fedora 14 machine with eth0 being internal and eth1
>> being external. It is setup for transparent proxying with dansguardian
>> and squid. All works well. I also have apache running for web
>> development on port 80, and I can access it. However, I want to access
>> that web server from the outside world. I cannot for the life of me
>> (atleast within the limits of my patience) get port 80 open on the
>> external interface so I can access the web server.
>>
>> Can anyone offer some advice to make iptables show me some love? Or
>> can I not do this all on the one machine?
>
> Dansguardian comes with basic iptables that look something like this:
>
> # Allow port 8080 (Dansguardian) to receive connections
> iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT
>
> # Redirect port 80 to Dansguardian (port 8080)
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-ports 8080
>
> # Allow outgoing connections from the LAN side.
> iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
>
> # Masquerade.
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>
> # Don't forward from the outside to the inside.
> iptables -A FORWARD -i eth1 -o eth1 -j REJECT
>
> ==end example==
>
> So, I assume you aren't doing NAT, but you don't want to have the reject
> statement?
>
> test:
>
> # /sbin/iptables-save |grep REJECT
> # /sbin/iptables-save >file
> # cp file file-new
> # vi file-new == change your order or read your whole tables and edit (or
> post to the list so we can do it for you
> # /sbin/iptables-restore <file-new
>
> TEST your internal to external port 80
>
> Works? Save
> # /etc/init.d/iptables save
>
> No joy? Rollback
> # /sbin/iptables -F (don't do this if you are doing NAT or in production)
> # /sbin/iptables-restore <file
> # /etc/init.d/iptables save
>
> And remember if you get stuck, post your whole iptables here (obfuscating
> real ipaddresses, etc) and we will fix it for ya.
>
> Also check this great resource:
>
> http://www.krr.org/linux/debian/HOWTO_QUICKIE_-_install_dansguardian.php
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Nathan England
>> I believe in the Constitution and the 4th Amendment. I am innocent and
>> have nothing to hide, but NO agent of the state crosses my threshhold
>> without a valid warrant signed by a judge and properly submitted. If
>> we fail to exercise our rights, we lose them.
>
> --
> (503) 754-4452 iPhone
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
>
> http://www.it-clowns.com
>
> "If Python is executable pseudocode, then perl is executable line noise."
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Nathan England
I believe in the Constitution and the 4th Amendment. I am innocent and
have nothing to hide, but NO agent of the state crosses my threshhold
without a valid warrant signed by a judge and properly submitted. If
we fail to exercise our rights, we lose them.
More information about the PLUG-discuss
mailing list