Hi all

I am a total newbie to Linux. I have a private LAN of wintel boxes which include a win2k server and I am setting up a Linux box running rh7.3 as a firewall. In additon, I'm connecting to the internet with a Cisco 678 DSL Router/modem, which has NAT enabled. I have a semi strong rule set using iptables, ip masquerade and port forwarding to have the firewall. It works great, and the wintel boxes can hit the Internet no problem. However, no one can hit the win2k web server from the outside. I have the private network set up on the 10.0.0.0/255.0.0.0 scenario. We have a static IP which resolves to the wan interface on the Cisco Router. The eth0 interface on the Cisco router is 10.0.0.1. I have the following script to allow users to hit the web server:

PORTFWIP="10.0.0.23" (webserver)
EXTIP="206.78.77.23"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to $PORTFWIP: 80

What am I doing wrong?

TIA

Roger

Since this thread has set here for over a day and hasn't gotten a response, I'll put my 2 cents worth in just to be sure you haven't overlooked the obvious.

Have you set up the Cisco router to forward all incoming traffic on TCP port 80 to the IP address of your Win2k server? Since all internal addresses are on the 10 network, users can't reach your server directly from the Internet. Your router needs to know where to send all incoming http traffic.

Thank you for a reply. It's discouraging not getting any responses, perhaps my question is not clear.

You make a good point, and that may be part of the trouble. I have tried several ways, but it doesn't seem to work. I have the Cisco router forwarding all traffic that hits the external static IP on port 80 to the ip address of the server (10.0.0.23) on port 80. I've also tried routing it to port 80 on eth0 (10.0.0.10) and eth1 (10.0.0.11), and then forwarding it to the server,but to no avail. Without the Linux box it works great, but with it, it doesn't. What am I missing here? I really need some help because I'm losing credibility, and I would really like to win over the guys, so they can see the value of Linux, and that M$ doesn't have all the answers. In addition, I would really like to expand my repertoire of Linux tricks to employ in my solutions for customers, but I need to get past this sticking point. I've been scanning posts and websites, but haven't found one addressing this question of having a semi intelligent router and a Linux firewall, although I know people must have done. Linux gurus, I need you! Please help!

It looks like you may have a routing issue. If you are using 255.0.0.0 as the netmask for all of your internal computers, then when the Cisco router tries to send the http traffic to 10.0.0.23, it's not going to go through your Linux router. It will recoginze 10.0.0.23 as being on it's local network and just arp for 10.0.0.23 on its ethernet interface. It obviously will never receive a response.
That's why it works when you attach the server directly to the Cisco router. It can then receive and reply to the arp request.

I don't think forwarding the http traffic to 10.0.0.10 or 11 will help either.

If you want to stick to all 10 net addresses, you need to do some subnetting on your network. Change your netmask to 255.255.255.0 and make the ethernet NIC that's attached to the Win2k server to the 10.0.1.0 network and change all the workstations to match. Some combination like that.
Or you could change that NIC to a 192.168.x.x network.

I think you need to get routing involved on your Linux machine for it to work. Even with it routing, you should still be able to use iptables to limit all traffic coming in from the Internet to http traffic.

I'm not that familiar with iptables so I could be wrong about that. But I do know routing and I can see the need for subnetting.

That makes sense, but then how do I route the Linux box across networks (supposing I use the 196.168.x.x for my LAN)?
Would I still forward all traffic on port 80 to the web server? Forgive me if I seem dense, but I'm learning this on my own, and I know there are some key concepts I'm missing. In other words, what's the routing I need to do on the Linux box?

I guess there's just too much about iptables that I don't understand.

I assumed to be able to use iptables, a Linux box would have to be routing. However, since both of your Ethernet NICs are on the same IP subnet, there is no routing going on. But, you say you are using iptables to forward traffic from your Windows machines, through your Linux box and on to the Internet. Obviously routing isn't a requirememt.

If you divide your network into different subnets so you can do routing, you'll need to be able to set up at least a static route on the Cisco for your internal subnets that differ from the subnet the Ethernet interface is on. You could also set up a default gateway on it too if it supports it.

Before I lead you astray and really complicate (a.k.a screw up) your network, I'm going to do some reading on iptables. Maybe someone else will see this post that is more familiar with iptables and see a quick solution. It may be a matter of some minor adjustments to your script and you'll be up and running.

Since you are using your Linux box as a firewall now, how about posting whatever script you are running to set up iptables to allow your Windows machines to get to the Internet. It would sure be helpful.

After reading through some iptables literature I can definitely see some problems with your script.
The first line in your script should have worked OK to forward http traffic through your Linux box. That's assuming of course that it can resolve $EXTIF and $INTIF to proper values. Unless that is part of a larger script, then those would have to be environment variables.
The logic in your second line doesn't fly. It looks like that one is saying that any traffic destined for 206.78.77.23 should be redirected to 10.0.0.23 and change the source IP address to the IP address of the interface it is transmitted on. That looks more like a rule that would go on your Cisco router, not your Linux box.

Here's what I'd try. Set up your Cisco router to forward all tcp port 80 traffic to the Ethernet NIC on the Linux box that faces the Cisco router. It looks like that would be 10.0.0.10 but you've never really said. I'll assume that eth0 faces the Cisco router.

Then on the Linux box, try this iptables line:

iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 10.0.0.23


I set up a test here at home with a Win2k server running IIS on one side of a Linux router. The other side of the router was connected to my normal home network. Both NICs were on different subnets so the Linux box was routing.
With that command, I was able to redirect all http traffic that was directed toward the IP address of the NIC on my Linux server that faced my home network to my Win2k server on the other side of the Linux box. It worked without problems.

One problem I can see with this is since your Linux box isn't actually routing. It will have to make a determination where 10.0.0.23 is. It would normally check its routing table for a route to the 10.0.0.0 network. But, since both of your NICs are on the 10.0.0.0 network, it may not work. Since the packets are coming in on eth0, it may just arp on eth1 because it's a different interface. That would make it work.

If that works, then that would accomplish your goal with a minimum of fuss or change on your network. If it doesn't, then you may need to do some routing on your network.

Personally, I think a router should route. And, you shouldn't do double NAT. In your case, both your Cisco router and the Linux router are doing NAT. I think thats a lot of wasted time and could affect network performance. Especially if you have a lot of web traffic coming into your network.

It would be interesting to have someone else comment on this.

You're right, eth0 faces the router. I think you're right that double NAT may not work. I attached the script I'm working with all of the comments. Let me know if you can open it. In the meantime, I'm going to try out a simpler script with the command you've suggested. Thx!

I see you got that script from one of the same sources I was reading yesterday. It seems like a pretty good script. You saved me a lot of work. Now I don't have to type it in!

You should never see a packet come in to your internal network with a destination IP address of 206.78.77.23. If your Cisco router forwards the packets to 10.0.0.10, the destination IP address of the packet will be changed to 10.0.0.10. The source IP address on the packet will remain the same(an address from the Internet) unless the Cisco router is also doing NAT on the incoming traffic.
I don't think setting up an iptables rule with a -d 206.78.77.23 will ever be used. That's why I specified in my rule that all incoming tcp port 80 traffic coming in on eth0 should be forwarded to 10.0.0.23.

Double NAT will work. It looks to me like you are using it now. I've also had threads with other guys who are using it.
I just think it can have an affect on network performance. Especially a network with lots of traffic. That just makes a whole lot more work for your Linux machine to do that is unnecessary.

Some time's it's unavoidable if you want to run a firewall on a Linux box. If you are not able to set static routes on your Cisco router so it could send traffic to multiple internal subnets, one option would be to run NAT on the Linux firewall. One command in your firewall script could set up masquerading and traffic would flow.
In that case I would prefer to use proxy arp. It's a whole lot less work for your Linux box to perform. But it's a little more complicated to set up than one line in the firewall script so some guys avoid it.

For a small home network, double NAT should be fine. For a network that's serving up web pages to the Internet, I think there's a better way.

I think it is a really good script, and once I understand a little more about routing, I'll be fine. I'm going to play with it a little more when I go over to my client's place tomorrow night. I'm going to set up the LAN on a different network (192.168.x.x) and tweak my rules and see how that works. ;) I'll keep you posted!

Thanks. I'd appreciate that.

Apologies to being a buttinski...but...

Everything I have read regarding the cisco DSL routers is that basically it's more trouble than it's worth to run any of this on the router. Let the parts do what they do best. Use the 678 for your ISP connection, and run EVERYTHING else from your linux box. I think you will find that this simplifies the situation greatly and allows people help you better because you are in a well known area.

What I would conclude from the evidence is a few things:
1. Using the cisco as a router is feature poor
2. Using the cisco as a router is administratively complex
3. Using the cisco as a router is insecure, both from a DoS and Hacking standpoint.

It also can be inferred from the lack of information dealing with this subject that not many people choose to do it this way, and the info I do see is invariably littered with multiple issues.

However, as a DSL modem (well, they don't really modulate/demodulate, but you get the picture) they seem to be *very* linux friendly, are well documented, and easily configured as such from a telnet prompt.

Once the connection gets to your box, there's really no reason to use the router unless you have a larger number of systems and what would be simplest is to still avoid using the routing capability of the 678 and buy a 10/100 switch to run the rest of your systems from that connection. They're like 40 bucks for a 5 port switch.

If you have a great number of boxes that are going to be concurrently acessing the internet, you need to get a real connection to the net, real networking hardware, or both.

There's lots of advantages to using the linux box in this method and no advantage at all to using the cisco to perform those functions. You're basically having to configure all the same junk twice. I think that this is also not really a big concern of cisco how good the stuff works because so few people use it anyhow, so you may run into even more problems in the long-run.

There are reams of how-to guides on setting this sort of stuff up, poke around a bit at the linux documentation project and google "linux routers" and you'll likely get a slew of stuff, ready made, in the form of freeBSD, floppy based routers, secure gateways, etc, etc, ad infinium, ad nauseum.

Remember, your system is only as strong as the weakest link.

HTH

-rust

PS If you're concerned about performance, remember that most home DSL connections around top out at 1.5Mbps (qwest offers SoHo connects up to 7Mbps which for ISP/DSL run about $1500 a month!) and ATT throttled everyone down to 1.5Mbps down from 3Mbps max when they switched everyone over to attbi, and your NIC cards run at 10/100Mbps on your internal network. We have a couple of T1 that connect us with the net and it still takes me a while to get downloads...internally shipping files on the network, workstation to workstation, is much faster, and only limited if you run into a portion of the network that is still running a 10Mbps connection, which a quick call to IT clears up because they're trying to get all the old network components out of there.

Internally, even older PC will ship data way faster than most lower end networking hardware. To get real performance out of a network, you need the gnar gear, which is gonna cost ya...a bunch.

I appreciate your input nutskill.

I'm not familiar with the Cisco 678. From your message, it looks like it could be used as just a "modem" and let the Linux box do all the routing, firewall and NAT work.

If it were possible to assign the IP address of 206.78.77.23 directly to a NIC on the Linux server that would be the ultimate. Just let the Linux box do all the work.


Would that be possible or is there still a need to do some type of address translation on the Cisco box to get the traffic onto the local network?

It's a routing thing, eth0 10.0.0.10 and eth1 10.0.0.11 are both on the same network.

---quote------
Since the packets are coming in on eth0, it may just arp on eth1 because it's a different interface.
----------------
correct, but there is a workaround, try:

route del -net 10.0.0.0/8 dev eth0
route add -host 10.0.0.1 dev eth0

That 'should' set up the correct routing, it has a route to the gateway, and to the rest of the lan but without seeing a route -n.....

----quote------
I don't think setting up an iptables rule with a -d 206.78.77.23 will ever be used.
------------------
correct, change EXTIP="206.43.25.96" to "10.0.0.10"

Make sure the other server is using 10.0.0.11 as the gateway

----quote----
I'm going to set up the LAN on a different network (192.168.x.x)
---------------
That should correct the problem also, just make sure the other server is using the internal interface's ip as the gateway.....

Thanks guys! I'm 100 percent with you, especially since the Cisco 678 will no longer be supported after 2003 or 4. The trouble I have is if I turn off NAT, it assigns the eth0 interface (on the Cisco), the static public IP of 206.25.43.17 (it's a made up IP, not my real one, of course). It has an wan0 interface and an eth0 interface on it. If NAT is turned on, then it has the static public IP on wan0 and the private IP of 10.0.0.1 on eth0.

This is where once again I show my ignorance, but can I just set the eth0 interface on the Cisco to nothing perhaps, or just bring it down? I might have to check to see if somehow I can assign the static ip to the eth0 on the Linux box, but I don't see how to do that. Anyway, I'm learning a lot, and your posts are very helpful.

If there is a RJ45 plug coming from the isp, get rid of the cisco....

If only.......*sigh*, I know I could make my own, but that would be better left to another day.

WOO HOO! WE DID IT! :cool: Linux Rocks and so do you guys! Thank you very much for the help.
It was as you said, I needed to have the Cisco router forward packets coming to the external static IP to the eth0 on the Linux box, then I needed the eth1 and the rest of the private LAN (including the Win2k box) on another subnet (255.255.255.0) with a 10.0.1.0 scheme. I forwarded the packets from eth0 to the internal address of the web server on port 80, and voila! I'm hitting the web server, and everyone on the lan is hitting the web. :p

OUTSTANDING!! Glad it worked out.

This thread has sure been a learning experience for me. It has finally gotten me off of my hind end and I started to learn something about iptables.

Would you mind posting your iptables script here? You only need to post the part that lists the actual rules you defined, not the part that loads all the modules.
I'm interested in seeing what you did to get the internal users out to the web.

How just change eth0 to your external ip, and dump the cisco...

It's not quite that easy jumped, because since it is a DSL connection, it brings in the phone service as well as the Internet, so I would have to figure out how to separate out that as well as convert it to the rj45 type of connection as well as configure it to authenticate on their network. Not real difficult, but my client has other fish to fry at the moment, such as setting up the Linux box as a mail server to capture the mail sent to the win2k box -- hmm, I sense another thread coming.

Cowanrl, here is my script that you asked for:

#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP
#
echo " clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F


echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "Enabling PORTFW Redirection on the external LAN.."
#
# This will forward ALL port 80 traffic from the external IP address
# to port 80 on the 10.0.1.23 machine
# Be SURE that when you add these new rules to your rc.firewall, you
# add them before a direct or implict DROP or REJECT.
#

PORTFWIP="10.0.1.23"
EXTIP="10.0.0.10"

$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 80 \
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 10.0.1.23

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 \
-j DNAT --to $PORTFWIP:80

$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 80 \
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 10.0.1.23


echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

(where EXTIF is eth0 facing the router and INTIF is facing the LAN.)

IPTABLES ROCK! They are much better than ipchains.
:p

Got it. Thanks!

Ah, I see. Well I'm glab it worked out for you.... :D