Quoting Joel Newkirk (netfilter@newkirk.us): [...] | It should be: | | $IPTABLES -A FORWARD -p tcp -d $INTWEBSERVER1 --dport 80 | -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT Yes, I quoted the wrong part. Sorry about that. I had the line you mention in my script. | FORWARD because after DNAT has done its job this traffic is no longer | addressed to the firewall box. $INTWEBSERVER1 for the same reason. Yes...: | And | skip the "-i $EXTIF" to ensure it matches connections from the LAN as | well as 'outside' clients. Doh!!! :) There I have for copying a line that would forward connections from the internet to an internal webserver, and leaving it like that when trying to forward traffic from the internal net as well. So obvious (now). | > PREROUTING: | > $IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTWEBSERVER1 -p tcp \ | > --dport 80 -j DNAT --to $INTWEBSERVER1 | | Again, you might want to drop the "-i $EXTIF" part... :) | > $IPTABLES -t nat -A POSTROUTING -d $INTWEBSERVER1 -s $INTRANET -p tcp | > \ --dport 80 -j SNAT --to-source 192.168.1.20 | | This part looks fine as-is. And now the rest looks fine too. Thank you, Joel for seeing what I couldn't! :) And thanks to Pavan Gokarn, for helping me to debug my script! - M
