On 2007-07-12 Marco wrote: > On Thu, 12 Jul 2007 14:48:37 +0200, Ansgar -59cobalt- Wiechers wrote: >> Then do NAT for that interface. To repeat myself: you don't need NAT >> for connections between your two private networks. Stop using NAT >> there, and your problem is solved. > > Maybe I don't understand this, but if I don't use NAT there from the > internet I can't connect to the webserver. With this rule commented: > > iptables -t nat -A PREROUTING -i ! $DMZIF -p tcp --dport 80 > -j DNAT --to 192.168.10.2 > > everything works from LAN, but not from internet. Firewall has a > public IP address and it's accepting connections from internet and > LAN.
If you comment that rule out, you don't make NAT at all. That's not what you want. You want a NAT rule for internet traffic only, e.g. like this: iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \ -j DNAT --to 192.168.10.2 With $EXTIF being your firewall's external (Internet) interface. Regards Ansgar Wiechers -- "The Mac OS X kernel should never panic because, when it does, it seriously inconveniences the user." --http://developer.apple.com/technotes/tn2004/tn2118.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
