On Wednesday 15 May 2002 9:47 am, Antony Stone wrote: > On Wednesday 15 May 2002 9:37 am, Kenneth wrote: > > I changed the script to just the following lines now but I still can not > > access internal website. Other things are fine: > > > > /sbin/iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE > > /sbin/iptables -P INPUT ACCEPT > > /sbin/iptables -P OUTPUT ACCEPT > > /sbin/iptables -P FORWARD ACCEPT > > /sbin/iptables -t nat -A PREROUTING -p tcp -i $INET_IFACE -d $INET_IP > > --dport 80 -j DNAT --to 192.168.1.200:80 > > /sbin/iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -p tcp > > -i $INET_IFACE -d 192.168.1.200 --dport 80 -j ACCEPT > > echo 1 > /proc/sys/net/ipv4/ip_forward > > /bin/echo 1 > /proc/sys/net/ipv4/ip_dynaddr > > /bin/echo 1 > /proc/sys/net/ipv4/ip_forward > > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done > > > > Any help ? > > I don't see anything here which adds a rule to the FORWARDing chain to > allow the replies back from the web server to the client !?
Oh - sorry - just noticed that your default policy on FORWARD is ACCEPT, which will do the job. I never use adefault ACCEPT so I didn't think of that before posting. Can you run tcpdump / ethereal or something similar on the web server or its network link, to see what packets go back & forward to it ? Does it have a correct routing table on the web server ? Antony.
