On Tue, 2002-11-19 at 11:51, Toshiro wrote: > > > > I've configured a webserver, which runs perfectly on it's own net. The > > > > problem is that it's behind a firewall and everything that comes through > > > > that firewall are being ignored by the server. > > > > > > > > Must be some kind of spoof-protection. Because the packets get trapped by > > > > rp_filter. > > > > > > > > So I've disabled rp_filter, I've set all iptables rules to ACCEPT, and > > > > I've tried lowering the security level with msec. Nothing changed. I've > > > > used tcpdump to see what's going on, and I can see that packets coming > > > > from a machine on the internal net, gets answers. But packets arriving > > > > through the firewall arrives at the interface, but no answer is sent. So I > > > > know for sure that the problem is at this machine. > > > > > > Have you configured NAT? > > > > No, this machine is not the firewall itself, only a http-server. It's > > packets coming through another firewall that are being filtered out. In > > that case NAT shouldn't be necessary since it's not doing any > > gatewaying/routing. Or am I wrong here...? > > No, you're right, you don't have to do anything in the webserver, my question > wasn't right :) what I wanted to ask you is whether the NAT in the firewall is > configured OK. > > Also, your firewall should allow to pass all packets with a connection already > established; for example, if your firewall were a Linux box with iptables you > should have something like that: > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT >
I could be wrong here, but I think you may need to enable port forwarding to pass requests for port 80 on the firewall to port 80 on the webserver. Try this (one line): iptables -t nat -A PREROUTING -i <INET IFACE> -p tcp --dport 80 -j DNAT --to-destination <WEB SERVER>:80 Replace <INET IFACE> with your internet interface (ppp0/eth0, whatever) Replace <WEB SERVER> with the internal ip of your webserver. Of course, if you have a public address on your web server and traffic is going straight there, this mail is redundant :) A simple EUREKA! will suffice, should this fix the problem :) Kind regards, John...
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
