Redirect problem with iptables and port forwarding

Hi,

here is the network configuration of my firewall:
eth1 = connected to the internet
eth0 = connected to my internal lan

On the internal lan, I have a web server, so I do port forwarding on
the firewall to forward all the connections coming to port 80 to the
port 80 of the web server.
I am running debian unstable, with kernel 2.4.18 and iptables 1.2.6a.

My problem is the following: I can access my web server from the
internet without any problem, so the port forwarding on that side
works well, but if I try, from any server on the internal lan, to do
links http://<external IP> , then I get a connection refused. I have
looked at various mailing lists and done quite a few searches on the
web and google, but I don't seem to find anything.

Any ideas?

Here is my firewall script:
#!/bin/sh

echo -e "\n\nLoading simple rc.firewall ..\n"
iptables=/sbin/iptables
extif=eth1
extip=`ifconfig ${extif} |grep inet |awk '{print $2}' |cut -d: -f2`
intif=eth0
intip=192.168.1.1
intnet=192.168.1.0/24
websrvip=192.168.1.13
universe="0/0"

echo -e "\tExternal Interface: ${extif}\n"
echo -e "\tInternal Interface: ${intif}\n"
echo -e "\tEnabling forwarding .."
echo 1 > /proc/sys/net/ipv4/ip_forward

echo -e "\tClearing any existing rules and setting default policy .."
$iptables -P INPUT DROP
$iptables -F INPUT
$iptables -P OUTPUT DROP
$iptables -F OUTPUT
$iptables -P FORWARD DROP
$iptables -F FORWARD
$iptables -t nat -F
$iptables -F input-and-log-it
$iptables -F output-and-log-it
$iptables -F forward-and-log-it
$iptables -X
$iptables -Z

echo -e "\tCreating a INPUT DROP chain .."
$iptables -N input-and-log-it
$iptables -A input-and-log-it -j LOG --log-level 6 --log-prefix "Input
Chain: "
$iptables -A input-and-log-it -p tcp -j REJECT --reject-with tcp-reset
$iptables -A input-and-log-it -p udp -j REJECT --reject-with
icmp-host-unreachable
echo -e "\tLoading INPUT ruleset .."
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A INPUT -i ${intif} -s ${intnet} -j ACCEPT
$iptables -A INPUT -i ${extif} -p ICMP -d ${extip} -j ACCEPT
$iptables -A INPUT -i ${extif} -s ${intnet} -j input-and-log-it
$iptables -A INPUT -i ${extif} -d ${extip} -m state --state
ESTABLISHED -j ACCEPT
$iptables -A INPUT -i ${extif} -d ${extip} -p TCP --dport 80 -j ACCEPT
$iptables -A INPUT -i ${extif} -d ${extip} -p TCP --dport 21 -j ACCEPT
$iptables -A INPUT -s ${universe} -d ${universe} -j input-and-log-it

echo -e "\tCreating a OUPUT DROP chain .."
$iptables -N output-and-log-it
$iptables -A output-and-log-it -j LOG --log-level 6 --log-prefix
"OUTPUT Chain: "
$iptables -A output-and-log-it -p tcp -j REJECT --reject-with
tcp-reset
$iptables -A output-and-log-it -p udp -j REJECT --reject-with
icmp-host-unreachable

echo -e "\tLoading OUTPUT ruleset .."
$iptables -A OUTPUT -o lo -j ACCEPT
$iptables -A OUTPUT -o ${intif} -s $extip -d ${intnet} -j ACCEPT
$iptables -A OUTPUT -o ${intif} -s ${intip} -j ACCEPT
$iptables -A OUTPUT -o ${extif} -d ${intnet} -j output-and-log-it
$iptables -A OUTPUT -o ${extif} -s ${extip} -j ACCEPT
$iptables -A OUTPUT -s ${universe} -d ${universe} -j output-and-log-it

echo -e "\tCreating a FORWARD DROP chain .."
$iptables -N forward-and-log-it
$iptables -A forward-and-log-it -j LOG --log-level 6 --log-prefix
"FORWARD Chain: "
$iptables -A forward-and-log-it -p tcp -j REJECT --reject-with
tcp-reset
$iptables -A forward-and-log-it -p udp -j REJECT --reject-with
icmp-host-unreachable

echo -e "\tLoading FORWARD ruleset .."
echo -e "\t\tFWD: Allow all connections OUT and only existing/related
IN"
$iptables -A FORWARD -i ${extif} -o ${intif} -m state --state
ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i ${intif} -o ${extif} -j ACCEPT
$iptables -A FORWARD -i ${extif} -o ${intif} -p tcp -d ${websrvip}
--dport 80 -j ACCEPT

echo -e "\t\tNAT: Enabling SNAT (MASQUERADE) functionality on
${extif}"
$iptables -t nat -A POSTROUTING -o ${extif} -j SNAT --to ${extip}
$iptables -t nat -A PREROUTING -i ${extif} -p tcp --dport 80 -j DNAT
--to ${websrvip}:80
$iptables -t nat -A PREROUTING -i ${extif} -p tcp --dport 21 -j DNAT
--to ${websrvip}:21

$iptables -A FORWARD -j forward-and-log-it


echo -e "\nrc.firewall loaded.\n"

Thanks a lot in advance for your help,
Bertrand.

On Wed, 22 Oct 2003 19:52:18 -0700, Bertrand Sirodot wrote:

> Hi,
>
> here is the network configuration of my firewall:
> eth1 = connected to the internet
> eth0 = connected to my internal lan
>
> On the internal lan, I have a web server, so I do port forwarding on
> the firewall to forward all the connections coming to port 80 to the
> port 80 of the web server.
> I am running debian unstable, with kernel 2.4.18 and iptables 1.2.6a.
>
> My problem is the following: I can access my web server from the
> internet without any problem, so the port forwarding on that side
> works well, but if I try, from any server on the internal lan, to do
> links http://<external IP> , then I get a connection refused. I have
> looked at various mailing lists and done quite a few searches on the
> web and google, but I don't seem to find anything.

When you connect from internal machine to server, packet gets routed to
firewall machine and it forwards the packet to server. Server responds
directly to internal machine using its internal ip. The problem is that
reply packets source address is different from request packets destination
address.

Ugly hack to fix it:

Server:

ipconfig eth0:1 EXTERNAL_IP
route del -net EXTERNAL_NET netmask 255.255.255.0 eth0

Client:

route add -host EXTERNAL_IP eth0

I assumed that you have only one nic in server and client. If you do this
all packets client sends to EXTERNAL_IP gets routed to server.

--
Jari Laurila