Iptables - help

Iptables - help

Post by jhar » Thu, 22 May 2003 16:48:12



Hi i am new to linux and am having trouble setting up my iptables.

I want to host my own web server and mail server.

I would like to know what changes need to be made to iptables to allow
web and mail to come through.  The reason why i think it is my
firewall is because i can send mail out but i cannot receive mail.  I
can view the web and i can view my web page locally but i cannot
access it from the internet.

This is what i have added to iptables by typing from a terminal
sesssion

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT

Do i need to add anything else?

I have an adsl router which has an internal ip address and an external
ip address allocated to it by the isp.  Then my server runs off the
switch and is not directly attached to the router.

Do i need to add the following lines?

"iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
internal ip address" and do the same for port 25?

How do i get the external ip address to be forwarded to the router and
then to the internal ip address of my machine?

I have a dynalink adsl router, one port.  i have added the following
nat commands to open up ports 80 and 25.  "inbound add 80/tcp internal
ip address - add a rule" and "inbound add 25/tcp internal ip address -
add a rule"

Any ideas anyone?

 
 
 

Iptables - help

Post by Durk van Vee » Fri, 23 May 2003 12:36:22


Quote:> This is what i have added to iptables by typing from a terminal
> sesssion

> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j ACCEPT
[snip]
> I have an adsl router which has an internal ip address and an external
> ip address allocated to it by the isp.  Then my server runs off the
> switch and is not directly attached to the router.

No you don't need to add any PREROUTING rules. The problem is that because
your server is not hooked up directly to the internet, you'll need to enable
port forwarding on the router itself, not the server. So your iptables rules
that you outlined above for the INPUT chain will work quite well for
accepting incoming HTTP and SMTP connections. However, no packets can ever
reach the interface on your server because the adsl router doesn't know what
to do with them. Unfortunately the setup for port-forwarding on these
hardware routers is different depending on the specific brand and model that
you have, so you'll have to experiment and read the manual. You're well on
your way though to getting this set up.

 
 
 

Iptables - help

Post by Andrew Heco » Fri, 23 May 2003 13:16:03


After watching wayyyy to many movies as a child, jhardy finally blurted:

Quote:> Hi i am new to linux and am having trouble setting up my iptables.

> I want to host my own web server and mail server.

> I would like to know what changes need to be made to iptables to allow
> web and mail to come through.  The reason why i think it is my
> firewall is because i can send mail out but i cannot receive mail.  I
> can view the web and i can view my web page locally but i cannot
> access it from the internet.

> This is what i have added to iptables by typing from a terminal
> sesssion

> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j ACCEPT

> Do i need to add anything else?

To be clear, what do you mean you aren't receiving mail? As in, you are
trying to download mail from some other server (a la POP3) or that when
MTAs try and transfer a message to your system they are being denied
access?
 
 
 

Iptables - help

Post by Lui » Fri, 23 May 2003 18:22:05



> After watching wayyyy to many movies as a child, jhardy finally blurted:

> > Hi i am new to linux and am having trouble setting up my iptables.

> > I want to host my own web server and mail server.

> > I would like to know what changes need to be made to iptables to allow
> > web and mail to come through.  The reason why i think it is my
> > firewall is because i can send mail out but i cannot receive mail.  I
> > can view the web and i can view my web page locally but i cannot
> > access it from the internet.

> > This is what i have added to iptables by typing from a terminal
> > sesssion

> > iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> > iptables -A INPUT -p tcp --dport 25 -j ACCEPT

> > Do i need to add anything else?

> To be clear, what do you mean you aren't receiving mail? As in, you are
> trying to download mail from some other server (a la POP3) or that when
> MTAs try and transfer a message to your system they are being denied
> access?

What i mean is that when i send a message out to someone, and they hit
reply, they get an unknown host error
 
 
 

Iptables - help

Post by Lui » Fri, 23 May 2003 18:31:40



Quote:> > This is what i have added to iptables by typing from a terminal
> > sesssion

> > iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> > iptables -A INPUT -p tcp --dport 25 -j ACCEPT
>  [snip]
> > I have an adsl router which has an internal ip address and an external
> > ip address allocated to it by the isp.  Then my server runs off the
> > switch and is not directly attached to the router.

> No you don't need to add any PREROUTING rules. The problem is that because
> your server is not hooked up directly to the internet, you'll need to enable
> port forwarding on the router itself, not the server. So your iptables rules
> that you outlined above for the INPUT chain will work quite well for
> accepting incoming HTTP and SMTP connections. However, no packets can ever
> reach the interface on your server because the adsl router doesn't know what
> to do with them. Unfortunately the setup for port-forwarding on these
> hardware routers is different depending on the specific brand and model that
> you have, so you'll have to experiment and read the manual. You're well on
> your way though to getting this set up.

thanks

I am using a dynalink rta020 one port modem/router and i have
configured it to allow all traffic on port 80 and port 25 to go to my
server ip address.  I did this by telneting to the modem and using nat
and typing "inbound add 80/tcp myserveripaddress - add a rule"  and
did the same for port 25.  So, it still does not work.  Any other
ideas?  This then shows up in the virtualhosts area of the router. Not
sure which part of the router i need to configure.  Any ideas?