Michael Wood wrote: > > I don't think you want to set the forward policy to MASQ. > > I have never used ipmasqadm, but how about trying this: > > ipchains -F # flush all rules > ipchains -X # get rid of any user defined chains too > ipmasqadm portfw -f > ipchains -P output ACCEPT > ipchains -P forward ACCEPT > ipchains -P output ACCEPT > echo 1 > /proc/sys/net/ipv4/ipforward > ipchains -A forward -s 192.168.56.0/24 -d 0.0.0.0/0 -i eth1 -j MASQ > ipmasqadm portfw -a -P tcp -L 207.202.255.134 80 -R 192.168.56.10 80
I think the problem you'll run into here is that the traffic will reach the internal web server, but get masqueraded on the way out, changing the source port from 80 to some high port. Try running tcpdump on both the web server and the interal and external interfaces on the firewall to see what's coming in/going out to help troubleshoot where things are getting hung up. You might consider looking into the 2.4 kernel and it's netfilter. iptables will do both SNAT and DNAT. I have a similar setup (webserver on private lan behind firewall) and just do DNAT (destination NAT) on the firewall to forward the traffic through, which I believe also catches the return traffic and adjusts just the IP address on outgoing packets.
