View Full Version : [ubuntu] IPTables routing issue for webserver behind gateway

March 1st, 2010, 12:06 AM
Hi all,

It has been a while since I looked at IPtables and I seem to be worse than before as I can not seem to get my webserver online. Below is my firewall rules on the gateway server that is running the dhcp server accessing the net. The webserver is inside my network on a static IP (, default port). When I use Nmap or GRC.com I see that port 80 is open but when I browse to it it always fails with a connection error, (nmap will not also connect and figure out what the web server is).

If can nmap the webserver and browse to it just fine via same IP inside my network. The issue seems to be that the gateway server can not ping the webserver.

my gateway server is connected to a router that goes off to my home pc and a ESXi server with a couple of VM web Servers running on them.

The gateway server can ping the home PC but not the webserver. The home pc can connect to them all. The webserver can connect to the web just fine and ping all machines.

I do not understand why the gateway server can not route to the webserver, but can to everything else.



load () {

$depmod -a

$modprobe ip_tables
$modprobe ip_conntrack
$modprobe ip_conntrack_ftp
$modprobe ip_conntrack_irc
$modprobe iptable_nat
$modprobe ip_nat_ftp

echo "enable forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "enable dynamic addr"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# start firewall

# default policies
$iptables -P INPUT DROP
$iptables -F INPUT
$iptables -P OUTPUT DROP
$iptables -F OUTPUT
$iptables -P FORWARD DROP
$iptables -F FORWARD
$iptables -t nat -F

echo " Opening loopback interface for socket based services."
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

echo " Allow all connections OUT and only existing and related ones IN"
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -o $EXTIF -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$iptables -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A OUTPUT -o $INTIF -j ACCEPT

echo " Allowing packets with ICMP data (i.e. ping)."
$iptables -A INPUT -p icmp -j ACCEPT
$iptables -A OUTPUT -p icmp -j ACCEPT

$iptables -A INPUT -p udp -i $INTIF --dport 67 -m state --state NEW -j ACCEPT

echo " Port 137 is for NetBIOS."
$iptables -A INPUT -i $INTIF -p udp --dport 137 -j ACCEPT
$iptables -A OUTPUT -o $INTIF -p udp --dport 137 -j ACCEPT

echo " Opening port 53 for DNS queries."
$iptables -A INPUT -p udp -i $EXTIF --sport 53 -j ACCEPT

#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

echo " opening Apache webserver"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to
$iptables -A FORWARD -p tcp -m state --state NEW -d --dport 80 -j ACCEPT

# this is designed to stop brute force attacks
$iptables -I INPUT -p TCP -m state --state NEW -m limit --limit 6/minute --limit-burst 5 -j ACCEPT


flush () {

echo "flushing rules..." $iptables -P FORWARD ACCEPT
$iptables -F INPUT
$iptables -P INPUT ACCEPT
echo "rules flushed"


case "$1" in

echo "usage: start|stop|restart."

exit 0

route info:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
5e0412a6.bb.sky * UH 0 0 0 eth2 * U 0 0 0 eth1
default 5e0412a6.bb.sky UG 100 0 0 eth2


eth1 Link encap:Ethernet HWaddr 00:22:b0:cf:4a:1c
inet addr: Bcast: Mask:
inet6 addr: fe80::222:b0ff:fecf:4a1c/64 Scope:Link
RX packets:79023 errors:0 dropped:0 overruns:0 frame:0
TX packets:57786 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11580918 (11.5 MB) TX bytes:22872030 (22.8 MB)
Interrupt:17 Base address:0x2b00

eth2 Link encap:Ethernet HWaddr 00:0c:f1:7c:45:5b
inet addr: Bcast: Mask:
inet6 addr: fe80::20c:f1ff:fe7c:455b/64 Scope:Link
RX packets:57038 errors:0 dropped:0 overruns:0 frame:0
TX packets:34532 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21631721 (21.6 MB) TX bytes:7685444 (7.6 MB)

lo Link encap:Local Loopback
inet addr: Mask:
inet6 addr: ::1/128 Scope:Host
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1517 (1.5 KB) TX bytes:1517 (1.5 KB)

I would be really grateful for any and all help with this.



March 1st, 2010, 12:21 AM
just took one of the webservers off of static and used DHCP, it got a lease from the gateway server. could ping the web but gateway server still couldn't ping its new IP address. only difference I can see in network is that it is on EXSi VM box. powered up a Ubuntu Live CD on a wireless laptop going through the same router and the server can ping that no problem.

March 1st, 2010, 12:41 AM
maybe this will help. IPtables (http://bodhizazen.net/Tutorials/iptables/).

March 2nd, 2010, 11:18 AM
thanks for the link, it definitely helped with my knowledge. Unfortunately I still can not get it to work.

I still believe it is the firewall that is stopping the requests getting through, or getting back out.

Some of the solutions I have been reading about used their public IP as the destination for outbound traffic, but I have a dynamic IP so I don't see how I can use those solutions.

I am very confused and really want to get my site back up.

Any help or suggestions would be so wonderfully received.