Hi, | What webserver did you test ; http://localhost or http://123.0.0.18 ? | We don't know anything about your setup so it's quite difficult if not | impossible to answer your question. | Could you post your iptables rules so that we might be able help you (and | please, not the output of : iptables -L, but the actual commands) ? I did test http://123.0.0.18 and it's Okay! but, http://www.dominio.com.br is not okay. ERROR The requested URL could not be retrieved ------------------------------------------------------------- While trying to retrieve the URL: http://www.dominio.com.br The following error was encountered: Connection Failed The system returned: (111) Connection refused The remote host or network may be down. Please try the request again. Your cache administrator is root. My rules are ; [root@IMIDIA /root]# cat iptables.txt # Generated by iptables-save v1.2.1a on Fri Sep 13 12:35:05 2002 *mangle :PREROUTING ACCEPT [26633:4815741] :OUTPUT ACCEPT [625:95729] COMMIT # Completed on Fri Sep 13 12:35:05 2002 # Generated by iptables-save v1.2.1a on Fri Sep 13 12:35:05 2002 *filter :INPUT DROP [55:8112] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -s 127.0.0.1 -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -s 0/0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 0/0 -p tcp -m tcp --sport 80 -j ACCEPT -A INPUT -s 0/0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -s 0/0 -p tcp -m tcp --sport 53 -j ACCEPT -A INPUT -s 0/0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s 0/0 -p udp -m udp --sport 53 -j ACCEPT -A FORWARD -m unclean -j LOG -A FORWARD -m unclean -j DROP -A FORWARD -p icmp -m icmp --icmp-type 8 -j LOG -A FORWARD -p icmp -m icmp --icmp-type 8 -j DROP -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 80 -j ACCEPT -A FORWARD -p tcp -m tcp --dport rsync -j ACCEPT -A FORWARD -p tcp -m tcp --sport rsync -j ACCEPT -A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 25 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 110 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 443 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 21 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 20 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 20 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 53 -j ACCEPT -A FORWARD -p udp -m udp --dport 53 -j ACCEPT -A FORWARD -p udp -m udp --sport 53 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -p tcp -m tcp --sport 22 -j ACCEPT # saida -A OUTPUT -s 127.0.0.1 -j ACCEPT -A OUTPUT -s 123.0.0.10 -j ACCEPT -A OUTPUT -s 200.0.2.190 -j ACCEPT -A OUTPUT -d 0/0 -p tcp -m tcp --dport 53 -j ACCEPT -A OUTPUT -d 0/0 -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -p icmp -m state --state INVALID -j LOG -A OUTPUT -p icmp -m state --state INVALID -j DROP COMMIT # Completed on Fri Sep 13 12:35:05 2002 # Generated by iptables-save v1.2.1a on Fri Sep 13 12:35:05 2002 *nat :PREROUTING ACCEPT [1192:75377] :POSTROUTING ACCEPT [17:863] :OUTPUT ACCEPT [2:136] # Redirecionamento do trafego local para o servidor squid, controle do conteudo. -A PREROUTING -s 123.0.0.10 -p tcp -m tcp --dport 80 -j DNAT --to-destination 123.0.0.11:3128 # Redirecionamento do Trafego web da Internet para o servidor web. -A PREROUTING -d 200.0.2.190 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 123.0.0.18 # Criando uma rota de ENTRADA para os e-mails. -A PREROUTING -d 200.0.2.190 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 123.0.0.11 # Criando uma rota de ENTRADA para DNS -A PREROUTING -d 200.0.2.190 -i eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 123.0.0.11 # Criando uma rota de ENTRADA para DNS -A PREROUTING -d 200.0.2.190 -i eth0 -p udp -m udp --dport 53 -j DNAT --to-destination 123.0.0.11 # Criando uma rota de ENTRADA para o acesso FTP. # -A PREROUTING -d 200.0.2.190 -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 123.0.0.18 # Criando uma rota de SAIDA para os e-mails. Atencao, essa rota pode permitir # acao de SPAMMERS, acaso o sendmail nao estiver corretamente fechado. -A PREROUTING -d 200.0.2.190 -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 123.0.0.11 # Trafego de LOCAL de saida para INTERNET via SQUID. -A POSTROUTING -s 123.0.0.11 -o eth0 -j MASQUERADE # Trafego de saida para INTERNET de todos os protocolos exceto o Tcp/IP 80 rede LOCAL. -A POSTROUTING -s 123.0.0.0/255.255.255.0 -o eth0 -p tcp -m tcp ! --dport 80 -j MASQUERADE COMMIT # Completed on Fri Sep 13 12:35:05 2002 Thank in advanced Eugenio
