thanks for the reply! unfortunately though when i added the rule, i still get no connection from the outside... although when i watch tcpdump, i see that the packet now gets one step further - whereas before, i would only see it come in from the outside and get dropped, now i see a packet sent to the internal webserver... but in my logs i still get the same error: Mar 12 09:16:04 router IPT FORWARD packet died: IN=eth0 OUT=eth1 SRC=1.2.3.4 6 DST=10.0.0.3 LEN=44 TOS=0x10 PREC=0x00 TTL=47 ID=26103 DF PROTO=TCP SPT=46322 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 the other thing i notice - on a server where this is working - while watching tcpdump i notice different behavior. here is basically what i see on the internal interfaces: 1.1.1.1 = box on internet im trying to connect from 2.2.2.1 = external IP of old firewall 2.2.2.2 = external IP of new firewall (old box) eth0: <1.1.1.1> -> <2.2.2.1:80> eth1: <10.0.0.15> -> <10.0.0.3:80> (new box) eth0: <1.1.1.1> -> <2.2.2.2:80> eth1: <1.1.1.1> -> <10.0.0.3:80> i don't even see it use the internal IP on the new firewall (10.0.0.12) while watching the traffic. the "old" box has a super simple rule, basically just sets up masquerading and then forwards port 80. i hope this makes sense to someone! THANKS!!!! --- Daniel Chemko <dchemko@xxxxxxxxxx> wrote: > arif wrote: > > Hi, I am having a hard time trying to figure out > why > > any packets I am trying to forward to my internal > > network are being dropped. I am using the > > 'rc.firewall' file that is included in the > 'Iptables > > Tutorial' > > > http://iptables-tutorial.frozentux.net/iptables-tutorial.html > > > > > > > Everything is fine, except I can't get any packets > to > > forward to an internal webserver here. I am using > this > > line: > > > > > > /sbin/iptables -t nat -A PREROUTING --dst 1.2.3.4 > -p > > tcp --dport 80 -j DNAT --to-destination > 10.0.0.3:80 > > > > When I look at the packet count doing iptables -t > nat > > -L -v I can see the packet count go up on that > rule, > > every time i try and connect to port 80. But in my > > logs, I see that it matched a logging rule, and > shows > > up as 'IPT FORWARD packet died", so i guess it is > > ending prematurely in the forward chain? Any help > > would be greatly appreciated!!! THANKS!!! > > NATing does not bypass the filter rules. So, insert > this: > > iptables -A FORWARD --destination 10.0.0.3 -p tcp > --dport 80 -j ACCEPT > > > > > __________________________________ > > Do you Yahoo!? > > Yahoo! Search - Find what you're looking for > faster > > http://search.yahoo.com __________________________________ Do you Yahoo!? Yahoo! Search - Find what you?re looking for faster http://search.yahoo.com
