Can't get DNAT to work!!!

[Shaun Landau]

I have a simple network consisting of a linux machine attached to the internet and acting as a firewall for a second machine with a web server. The firewall machine has two NICs, the first of which is connected to the internet (DHCP) and the second is connected to the LAN as 192.168.1.1. The web server machine on the LAN has a single NIC as 192.168.1.2.   I am attempting to have port 80 internet traffic coming to the firewall machine routed to port 80 of 192.168.1.2, using DNAT. My firewall script is below (the DNAT rule is near the end of the script). It is not letting any port 80 traffic through at all from the internet. What's up with that?!       #!/bin/sh #   FWVER=0.70s echo -e "\nLoading rc.firewall - version $FWVER..\n"   #Setting the EXTERNAL and INTERNAL interfaces for the network EXTIF="eth1" INTIF="eth0"   # Determine the external IP automatically: EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"   # For STATIC IP addresses: # EXTIP="your.static.PPP.address"   # Assign the internal TCP/IP network and IP address INTNET="192.168.1.0/24" INTIP="192.168.1.1/24"   IPTABLES=/sbin/iptables LSMOD=/sbin/lsmod GREP=/bin/grep AWK=/bin/awk   UNIVERSE="0.0.0.0/0"   echo "Enabling forwarding ..." echo "1" > /proc/sys/net/ipv4/ip_forward   # If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable the following option.  This enables dynamic-address hacking # which makes the life with Diald and similar programs much easier. echo "Enabling DynamicAddr ..." echo "1" > /proc/sys/net/ipv4/ip_dynaddr   echo "Clearing any existing rules and setting default policy to DROP ..." $IPTABLES -P INPUT DROP  $IPTABLES -F INPUT $IPTABLES -P OUTPUT DROP  $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP  $IPTABLES -F FORWARD $IPTABLES -F -t nat   # Flush the user chain.. if it exists if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then    $IPTABLES -F drop-and-log-it fi   # Delete all User-specified chains $IPTABLES -X   # Reset all IPTABLES counters $IPTABLES -Z   echo "Creating a DROP chain.." $IPTABLES -N drop-and-log-it $IPTABLES -A drop-and-log-it -j LOG --log-level info $IPTABLES -A drop-and-log-it -j DROP   echo -e "Loading INPUT rulesets"   # loopback interfaces are valid. $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT   # local interface, local machines, going anywhere is valid $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT   # remote interface, claiming to be local machines, IP spoofing, get lost $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it   # Allow any related traffic coming back to the MASQ server in $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \ ESTABLISHED,RELATED -j ACCEPT   ######### OPEN PORTS TO ALLOW ACCESS FROM THE INTERNET ############ ########################################################################   #echo -e "Allowing EXTERNAL access to the WWW server on port 80" #$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT   #echo -e "Allowing EXTERNAL access to the WWW server on port 83" #$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 83 -j ACCEPT   #echo -e "Allowing EXTERNAL access to the POP server on port 110" #$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 110 -j ACCEPT   #echo -e "Allowing EXTERNAL access to the SMTP server on port 25" #$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 25 -j ACCEPT   ######################################################################## ########################################################################       # Catch all rule, all other incoming is denied and logged. $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it   echo -e "Loading OUTPUT rulesets"   # loopback interface is valid. $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT   # local interfaces, any source going to local net is valid $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT   # local interface, any source going to local net is valid $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT   # outgoing to local net on remote interface, stuffed routing, deny $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it   # anything else outgoing on remote interface is valid $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT   # Catch all rule, all other outgoing is denied and logged. $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it     echo -e "Loading FORWARD rulesets"   echo "FWD: Allow all connections OUT and only existing/related IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT   # Catch all rule, all other forwarding is denied and logged. $IPTABLES -A FORWARD -j drop-and-log-it   echo "DNAT: Enabling DNAT for internal web server" $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.1.2:80   echo "NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP   echo -e "\nrc.firewall-2.4 $FWVER done.\n"