Thank you for your replies. Oddly, after making the modifications, port 80 is showing up as filtered, with "nmap", but no web pages are getting through. Also, ports are open that are not specified in the script. For example, the "nmap" results; (The 1597 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 80/tcp filtered http 111/tcp open sunrpc 10000/tcp open snet-sensor-mgmt There is nothing specified in the script to ports 22,111, or 10000 to be open. Viewing "iptables-save" output reveals; # Generated by iptables-save v1.2.6a on Tue Apr 22 02:35:18 2003 *nat :PREROUTING ACCEPT [3:600] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -d 64.161.179.58 -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.20.28:80 -A POSTROUTING -o eth1 -j SNAT --to-source 64.161.179.58 COMMIT How do I get public port 80 request to go through the firewall and the requested http pages to be served back through the firewall to the public client that request them? Also, how did these other ports become open? Again, many thanks in advance. James D. Parra JamesP@xxxxxxxxxxxxxxxx -----Original Message----- From: Joel Newkirk [mailto:netfilter@xxxxxxxxxx] Sent: Monday, April 21, 2003 4:26 PM To: James D. Parra Cc: Netfilter (E-mail) Subject: Re: iptable woes On Mon, 2003-04-21 at 17:55, James D. Parra wrote: > Hello, > > Try as I may, I cannot get packets to go through the firewall from the > public side to the private side. I have set up scripts that should work, as > written from Netfilter, but there must be something I am overlooking. Yep... ;^) > # TCP Rules > iptables -A INPUT -p TCP -i eth1 -s 0/0 --destination-port 1723 -j okay > iptables -A INPUT -p tcp -i eth1 -s 0/0 --destination-port 80 -j okay dport 80 not needed, since you're DNATting it anyway. > # (4) FORWARD chain rules > # Accept packets we want to forward > iptables -A FORWARD -i eth0 -j ACCEPT > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 1024:65535 -d > PVT.XXX.XXX.XXX --dport 80 \ > -m state --state NEW -j ACCEPT > iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j > ACCEPT This last is also unneeded, since you have a more general state rule just above it. > # (6) PREROUTING chain rules > iptables -t nat -A PREROUTING -i eth1 -p tcp --sport 80 -d PUB.XXX.XXX.XXX > --dport 80 \ > -j DNAT --to-destination PVT.XXX.XXX.XXX:80 > iptables -t nat -A PREROUTING -p tcp -d --dport 1723 -j DNAT > --to-destination PVT.XXX.XXX.XXX Ah, the meat of the problem... You're matching ONLY packets with BOTH dport AND sport of 80... Drop the "--sport 80" part and you should be all set to server http. j
