Hi, I'm using Debian as router and Firewall. Behind it is a switch with some computers and also a server. I've portfordward for 443. From outside it's working by going to my.dyndns.org . But inside I can't reach it by going to my.dyndns.org. Any suggestions how to fix it so I can reach it from internal network too? Code: inet - debian router - switch - server 443 | other pcs Code: # Always accept loopback traffic /sbin/iptables -A INPUT -i lo -j ACCEPT # Allow established connections, and those not coming from the outside /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j DNAT --to <internalip>:443 /sbin/iptables -A FORWARD -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport 443 -i eth0 -j ACCEPT # Allow outgoing connections from the LAN side. /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT # Masquerade. /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Enable routing. echo 1 > /proc/sys/net/ipv4/ip_forward
Code: # Generated by iptables-save v1.4.8 on Thu Aug 2 11:52:38 2012 *nat :PREROUTING ACCEPT [1661480:260565312] :POSTROUTING ACCEPT [98393:5296423] :OUTPUT ACCEPT [116016:6782450] -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination <internalip 2>:443 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Thu Aug 2 11:52:38 2012 # Generated by iptables-save v1.4.8 on Thu Aug 2 11:52:38 2012 *filter :INPUT ACCEPT [7434:1680458] :FORWARD ACCEPT [129:7732] :OUTPUT ACCEPT [4912:591331] :fail2ban-ssh - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth0 -j ACCEPT -A FORWARD -i eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 443 -j ACCEPT -A fail2ban-ssh -j RETURN COMMIT # Completed on Thu Aug 2 11:52:38 2012 eth0 Link encap:Ethernet HWaddr f0:32:g7:22:41:42 inet addr:<publicip> Bcast:255.255.255.255 Mask:255.255.254.0 inet6 addr: <publicipv6>/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:18564411 errors:0 dropped:0 overruns:0 frame:0 TX packets:5888615 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3532713735 (3.2 GiB) TX bytes:1564479265 (1.4 GiB) Interrupt:18 Base address:0x6000 eth1 Link encap:Ethernet HWaddr bc:30:5b:bd:a7:b1 inet addr:<internalip 1> Bcast:<internal broadcast> Mask:255.255.255.0 inet6 addr: fe80::be30:5bff:febd:a7b1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8539599 errors:0 dropped:0 overruns:0 frame:0 TX packets:6447867 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1938888934 (1.8 GiB) TX bytes:2864233374 (2.6 GiB) Interrupt:16
If you request from the internal network, the packages aren't send in via eth0. The request for port 443 enters your router, but not via eth0, but via eth1, the machine will see that the request is for itself and tries to deliver it on it's own port at <internalip 1>:443. Either redirect internal requests on eth1 as well, or remove the interface restriction in your current rules. I'd just let all requests on port 443 be delivered to <internalip 2>. edit: All the other rules are pretty useless, since your default policy is ACCEPT and you don't DROP/REJECT anything.
Thanks, try this this evening. Going to use Bastille later to secure it more. I want to be sure it works so when it's not working after install Bastille I know where to start
