Quoting Magnus Solvang (magnus@solvang.net): | I'm configuring a firewall on a network where we have put | the webserver on the inside of the firewall and given it | a reserved ip-address. | I have done the appropriate forwarding so that the webserver | can be reached from the internett. Trouble is, users on the | LAN have to use its internal ip-address to reach the web- | pages. I've been reading the docs, but still haven't figured this one out. According to NAT-HOWTO-10.html, I've set up these rules: $IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTWEBSERVER1 -p tcp \ --dport 80 -j DNAT --to $INTWEBSERVER1 $IPTABLES -t nat -A POSTROUTING -d $INTWEBSERVER1 -s $INTNET -p tcp \ --dport 80 -j SNAT --to 192.168.1.20 192.168.1.20 is the internal ip-address on the firewall. The first line is working fine (I can reach the server from the internet). But, the second line isn't doing what I hoped it would - the users on the LAN cannot use the outside URL to get to the internal webserver. tcpdump shows traffic going from the internal client -> external webserver-address and back, but nothing reaches the interal webserver. I noticed that the OUTPUT chain logged dropped packages from the internal client to the webserver, and this rule cleared that up: $IPTABLES -A OUTPUT -p tcp -o $INTIF -s $EXTWEBSERVER1 \ --sport 80 -d $INTNET -j ACCEPT But now, no packets are logged, and it's still not working. I'm guessing the POSTROUTING line need an appropriate FORWARD-rule... If so, what would it look like? - M
