On September 1, 2004 01:53 pm, Tom wrote: > Hi, > > I have a linux firewall (iptables), and a linux server with apache > behind that firewall. My provider blocks ports below 1024, so I have a > prerouting-rule that redirects traffic like this: > > $IPTABLES -A PREROUTING -t nat -i $WWW p tcp -d $EXTIP --dport 8888 -j > DNAT --to $SERVER:80 > > I also have 2 forward-rules: > > $IPTABLES -A FORWARD -i $WWW -o $LAN -p tcp --dport 80 -j ACCEPT > $IPTABLES -A FORWARD -i $LAN -o $WWW -p tcp --sport 80 -j ACCEPT > > and I have these two lines to allow my local pc's to connect to the > firewall with ssh and stuff like that: > $IPTABLES -A INPUT -i $LAN -s $INTLAN -j ACCEPT > $IPTABLES -A OUTPUT -o $LAN -d $INTLAN -j ACCEPT > > > where: > $EXTIP = my external IP address > $WWW is eth1 > $LAN is eth0 > $SERVER = my server's internal IP address. > $INTLAN = "192.168.0.0/24" > > This works really well when I try to connect from the outside to my > webserver. But, if I try to connect to http://myserver.com:8888 from the > internal network (or from my server itself), I always get 'connection > refused'. I'm pretty sure I need some other rules, but can someone > please help me in the good direction here? Thanks a lot!! Your inbound DNAT rule doesn't translate connections from the LAN. (-i $WWW) IF you want to do this without a DMZ (*not a good thing*) you will need to both DNAT and SNAT the connections from the LAN to the webserver. i.e. DNAT the connection from the LAN to the webserver as in the (-i $WWW rule) AND SNAT the connection on the way to the webserver to come back to the LAN ip of the firewall. Better to follow Jason's advise, create a virtual DMZ and route through to that. > > > > PS: Here's a little drawing of the situation: > > SERVER (eth0) <----> (eth0) GATEWAY-PC (eth1) <----> internet
