On September 6, 2003 08:25 pm, Alexandr Molochnikov wrote: > Another tidbit for those who are looking into my problem: > > My script now contains the following commands: > > echo ACCEPT inbound HTTP connections bound to port 80. Web Server. > > $IPTABLES -A FORWARD -s $INTERNET_IP -d $OFFICE_IP -p tcp --dport 80 -m > state --state NEW,ESTABLISHED,RELATED -j LOG --log-prefix > "#WALL:accept(fwd 80)#" > $IPTABLES -A FORWARD -s $INTERNET_IP -d $OFFICE_IP -p tcp --dport 80 -m > state --state NEW,ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -t nat -A PREROUTING -p tcp -d $INTERNET_IP --dport 80 -j LOG > --log-prefix "#WALL:accept(route 80)#" > $IPTABLES -t nat -A PREROUTING -p tcp -d $INTERNET_IP --dport 80 -j DNAT > --to-destination $HTTP_SERVER:80 > > When I try to access the web server through the firewall, this is what > is logged in /var/log/messages: > > Sep 6 20:10:35 Wall kernel: #WALL:accept(route 80)#IN=eth1 OUT= > MAC=00:60:67:65:ed:ce:00:10:4b:72:b9:4b:08:00 SRC=10.0.0.2 DST=10.0.0.1 > LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=55557 DF PROTO=TCP SPT=1095 DPT=80 > WINDOW=8192 RES=0x00 SYN URGP=0 > > As you can see, the PREROUTING is logged, but FORWARD is not. Why this > happens is beyond me, but I am pretty sure that the absence of logging > and the client's inability to get through to the server are two sides of > the same coin. > > Alex.
Alex, It looks like your prerouting rule is ok but I don't think your forwarding rule is needed. Also, you need to do snat so your client can recognize the packets coming back from the webserver. Try adding the following rule in addition to your prerouting rule: $IPTABLES -t nat -A POSTROUTING -o $INTERNET_CARD -j SNAT --to-source $INTERNET_IP Note that since your default policy for INPUT, OUTPUT, and FORWARD is set to ACCEPT, most of your other rules are redundant, but that is fine if you're just testing. If you change the policies later you will probably need to add at least the following rules to the forwarding chain: $IPTABLES -A FORWARD -i $OFFICE_CARD -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Later, ~Scott
