Howdy, As pointed out by someone else, the ACCEPT on the Forward chain isn't required since your default action earlier in the script is to default ACCEPTing packets on the forward Chain.
The Logging isn't working for the FORWARD chain because you have specified to only log packets coming from the FIREWALL machines real world Ip Address destined to port 80 on the Web Server. If you drop the -s $INTERNET_IP portion of that command it should work. If you want to contact your webserver from the firewall box (Using a browser or telnet or whatever else) using your firewalls real world IP address (The chances you want to do this are slim), you'll have to add a filter to the output filter chain. Although not required to do what you want here, if you wish to turn the Firewall box into a NAT (Using masquerading) then the sample below shows how that is done. You probably knew this - but I am just pointing it out as n FYI. echo ACCEPT inbound HTTP connections bound to port 80. Web Server. # Redirect Port 80 to the WebServer $IPTABLES -t nat -A PREROUTING -d $INTERNET_IP -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-prefix "#WALL: Nat/PREROUTE(Port 80)#" $IPTABLES -t nat -A PREROUTING -d $INTERNET_IP -p tcp --dport 80 -j DNAT --to-destination $HTTP_SERVER:80 # Redirect Port 80 to the Webserver - This case is if we contact the webserver # from the firewall box using the external IP address $IPTABLES -t nat -A OUTPUT -d $INTERNET_IP -p tcp --dport 80 -j LOG --log-prefix "#WALL: Nat/OUTPUT(Port 80)#" $IPTABLES -t nat -A OUTPUT -d $INTERNET_IP -p tcp --dport 80 -j DNAT --to-destination $HTTP_SERVER:80 # This is for debug purposes only $IPTABLES -A FORWARD -d $HTTP_SERVER -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-prefix "#WALL: accept(fwd 80)#" # Uncomment this if machines on the internal network need to be # masqueraded. OFFICE_IP/24 is a quick Hack. There should be # an environment variable with the internal network/netmask. #$IPTABLES -t nat -A POSTROUTING -s $OFFICE_IP/24 -j MASQUERADE On Sat, 2003-09-06 at 20:25, Alexandr Molochnikov wrote: > Another tidbit for those who are looking into my problem: > > My script now contains the following commands: > > echo ACCEPT inbound HTTP connections bound to port 80. Web Server. > > $IPTABLES -A FORWARD -s $INTERNET_IP -d $OFFICE_IP -p tcp --dport 80 -m > state --state NEW,ESTABLISHED,RELATED -j LOG --log-prefix > "#WALL:accept(fwd 80)#" > $IPTABLES -A FORWARD -s $INTERNET_IP -d $OFFICE_IP -p tcp --dport 80 -m > state --state NEW,ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -t nat -A PREROUTING -p tcp -d $INTERNET_IP --dport 80 -j LOG > --log-prefix "#WALL:accept(route 80)#" > $IPTABLES -t nat -A PREROUTING -p tcp -d $INTERNET_IP --dport 80 -j DNAT > --to-destination $HTTP_SERVER:80 > > When I try to access the web server through the firewall, this is what > is logged in /var/log/messages: > > Sep 6 20:10:35 Wall kernel: #WALL:accept(route 80)#IN=eth1 OUT= > MAC=00:60:67:65:ed:ce:00:10:4b:72:b9:4b:08:00 SRC=10.0.0.2 DST=10.0.0.1 > LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=55557 DF PROTO=TCP SPT=1095 DPT=80 > WINDOW=8192 RES=0x00 SYN URGP=0 > > As you can see, the PREROUTING is logged, but FORWARD is not. Why this > happens is beyond me, but I am pretty sure that the absence of logging > and the client's inability to get through to the server are two sides of > the same coin. > > Alex. -- Mike Petch CApp::Sysware Consulting Ltd. Suite 1002,1140-15th Ave SW. Calgary, Alberta, Canada. T2R 1K6. (403)804-5700.
signature.asc
Description: This is a digitally signed message part
