Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

centos iptables dnat connection refused only in local network

Status
Not open for further replies.
rob51383

rob51383

Programmer
Jun 23, 2004
134
US
Hello,
I am configuring a gateway using iptables on centos 5.2. The gateway is using DNAT to send all traffic over port 80 on eth0 to a web load balancer. Everything works great externally however wget from an internal machine (including the gateway itself) returns "connection refused". ping and dig work fine.

I believe the problem is in iptables where internal traffic is being routed out of eth1 to eth0 then back to eth1. Is it possible that the PREROUTING rule is not respected the second time around? Anyone got a rule I can add to forward the looped back traffic to the intended destination?

Here is my iptables script:

#!/bin/bash

#
# Flush all current rules from iptables
#
iptables -F
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

#
# Raw defaults
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#
# Accept anything on localhost
#
iptables -A INPUT -i lo -j ACCEPT

#
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Enable forwarding on eth1
#
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT

#
# Enable masquerade
#
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#
# Accept HTTP connections over port 80
#
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.0.7.1:80

#
# Accept SSH connections over port 22
#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

#
# Allow limited ping
#
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 10/second -j ACCEPT
iptables -A INPUT -p icmp -j DROP

#
# Save settings
#
/sbin/service iptables save

#
# Resatart iptables
#
service iptables stop
service iptables start

#
# List rules
#
iptables -L -v


 
Sort by date Sort by votes
After many hours of searching on keywords targeted at what I thought the problem was I confirmed my suspicion. Specific rules are needed for local packets. The following is my new NAT rules which solves my problem:

$GATE_ETH0 = Public IP of the firewall/gateway
$GATE_ETH1 = Private IP of the firewall/gateway
$HTTP_ETH0 = The load balancer IP (but could be any http server)

iptables -t nat -A PREROUTING --dst $GATE_ETH0 -p tcp --dport 80 -j DNAT --to-destination $HTTP_ETH0

iptables -t nat -A POSTROUTING -p tcp --dst $HTTP_ETH0 --dport 80 -j SNAT --to-source $GATE_ETH1

iptables -t nat -A OUTPUT --dst $GATE_ETH0 -p tcp --dport 80 -j DNAT --to-destination $HTTP_ETH0

Hope this helps someone!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
CentOS is Dead? 1
Replies
0
Views
103
SamBones
SamBones
SamBones
  • Locked
  • Question
CentOS 7 and Putty
Replies
2
Views
142
SamBones
SamBones
MCP2000
  • Locked
  • Question
CentOS 6.9, LDAP, Vault, Active Directory
Replies
0
Views
71
MCP2000
MCP2000
hobbytech
  • Locked
  • Question
Internet not connecting
Replies
5
Views
177
Stephen_Hawk
Stephen_Hawk
ady2012
  • Locked
  • Question
Change the service sequences started on boot using centos 6
Replies
0
Views
78
ady2012
ady2012

Part and Inventory Search

Sponsor

Back
Top