I have a setup without a dmz, ie, the servers (http, mail, ssh) share the same subnet as my intranet clients (dhcp). The iptables script I am struggling with allows clients to browse the net but refuses them connections to the servers. Somehow the firewall refuses tcp/udp connections meant for the servers. The firewall machine runs no public services (forwards traffic only). the forward and nat rules that i use are public_ip=external web ip intra_dev=internal iface extra_dev=external iface intra_ip=internal ip extra_ip=external ip http=http server ip mail=mail server ip # forward $iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # do I need these 2 lines $iptables -A FORWARD -p tcp -i $intra_dev -o $extra_dev -j ACCEPT $iptables -A FORWARD -p udp -i $intra_dev -o $extra_dev -j ACCEPT $iptables -A FORWARD -p tcp -i $extra_dev -m state --state NEW,ESTABLISHED,RELATED --dport 80 -j ACCEPT $iptables -A FORWARD -p tcp -i $extra_dev -m state --state NEW,ESTABLISHED,RELATED --dport 81 -j ACCEPT $iptables -A FORWARD -p tcp -i $extra_dev -o $intra_dev --dport 80 -d $http -j ACCEPT $iptables -A FORWARD -p tcp -i $extra_dev -o $intra_dev --dport 81 -d $mail -j ACCEPT # prerouting $iptables -A PREROUTING -t nat -p tcp -i $extra_dev -d $public_ip --dport 80 -j DNAT --to $http $iptables -A PREROUTING -t nat -p tcp -i $extra_dev -d $public_ip --dport 81 -j DNAT --to $mail # postrouting # either these 2 rules or the masquerade rule works $iptables -A POSTROUTING -t nat -p tcp -o $extra_dev -s $intra_lan -d $universe -j SNAT --to $extra_ip $iptables -A POSTROUTING -t nat -p tcp -o $extra_dev -s $intra_lan -d $universe -j SNAT --to $extra_ip $iptables -A POSTROUTING -t nat -o $extra_dev -j MASQUERADE does someone see a problem that I can't. Also, could someone enlighten me about the output chain and whether or not I need it here. Thanks Rahul
