On Friday 21 November 2003 2:46 pm, Carlos Alberto Peláez Ayala wrote: > Dear friends, > I have a IBM Netvista box with Red Hat Linux 9.0, kernel 2.4.20-8 and > iptables 1.2.7a. > I have a internal web server in the address 192.168.1.5 and i try to access > at the page of this server from internet using the reverse nat properties > of iptables across my firewall. > > This is my schema: > |-------------| |--------------| > |--------------| > | INTERNET |--------------| FIREWALL |------------------| WEB > | SERVER > | > |-------------| |--------------| > |--------------| > > eth0=200.3.192.127 eth1=192.168.1.2 192.168.1.5 > > When i try to access to the web page of my internal web server, from > internet (http://200.3.192.127), the page never loads. i can see that the > nat and reverse nat not is in operation. How can you see this? What are you checking? My advice is to keep things simple (*much* simpler than the ruleset you posted, unless you're absolutely certain that everything in there is (a) needed and (b) working correctly, except for the little bit you're adding to do HTTP DNAT) so that it's easy to pinpoint the bit that's not working. I also notice you have an impressive mix of INPUT, OUTPUT and FORWARD rules in your ruleset - far more INPUT and OUTPUT stuff than I would expect for a routing firewall. Please make sure you've understood which packets go through INPUT and which packets go through FORWARD (http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSINGOFTABLES is an excellent reference for this information), and remove (or at least comment out) any rules which you don't actually need in your configuration. By the way, for what it's worth, I did find the DNAT and FORWARD rules in your ruleset which I would expect to work and do the job you want, but there was so much other stuff besides that there could easily be something else getting in the way and messing things up. You may benefit from printing out a listing of your rules in the order they exist in the tables (iptables -L -n -v -x and iptables -L -t nat -n -v -x) and simply going through them in order, checking that an incoming HTTP request and the corresponding response get matched against the rules you expect them to. Hope this helps, Antony. -- The truth is rarely pure, and never simple. - Oscar Wilde Please reply to the list; please don't CC me.
