Public Webserver behind IPtables Router

Public Webserver behind IPtables Router

[thomas krause]

[-- Attachment #1: Type: text/plain, Size: 654 bytes --]

Hello , i tried to set up an IPTables Router for my Webserver. All hosts have has an official IP Adress. The eth0 of the Router is in a seperate Net.

The config on the Router  is like this :


---------<Router>----------------------<WEBServer>
eth0               eth1                  eth0




# Allow ssh ( 0.0.0.0/0 is replaced by my own client IP )
iptables -P INCOMING DROP
iptables -A INCOMING -s 0.0.0.0/0 -p tcp --dport 22 -j ACCEPT


iptables -P FORWARD DROP
iptables -A FORWARD -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT

iptables -P OUTPUT ALLOW


Will this work ? O.K. Iam a Newbie but i will learn !


MfG Thomas



[-- Attachment #2: Type: text/html, Size: 1955 bytes --]

Re: Public Webserver behind IPtables Router

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 793 bytes --]

Le ven 18/07/2003 à 23:41, thomas krause a écrit :
> Hello , i tried to set up an IPTables Router for my Webserver. All
> hosts have has an official IP Adress. The eth0 of the Router is in  
> iptables -P FORWARD DROP
> iptables -A FORWARD -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT
>  
> iptables -P OUTPUT ALLOW
>  
> Will this work ? O.K. Iam a Newbie but i will learn !

No, you just authorize packet to port 80 and what happened to return
packet to have this working you have to add a rules using STATE, ie
accept all packet of the connection (and in particular response packet)
:
	iptables -P FORWARD DROP
	iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
	iptables -A FORWARD -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT
BR,
 
-- 
Eric Leblond <eric@regit.org>

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]