I would recommend that you put a log entry for the protocol(s) or IP to IP connections that you want to debug across the DMZ. I did this while trying to debug some IPSEC traffic. -A FORWARD -p tcp -m tcp --dport 1433 -j LOG --log-prefix "MySQL [tcp]: " --log-level 1 -A FORWARD -p udp -m udp --dport 1433 -j LOG --log-prefix "MySQL [udp]: " --log-level 1 Put this at the beginning of the chain (tweak it for whatever DB you need) and then just watch the calls to make sure that you are see the flow that you want. When you are done move them down to the end of the chain, if they are still hitting then you are loosing packets. BTW, are you running pinholes (point to point IP for each port you want open)? What DB? Gary Wayne Smith -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Greg Cope Sent: Tuesday, January 25, 2005 8:54 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Help debugging iptables firewall.... Hi All, I have a 3 interface firewall (internet, dmz, lan). For some reason a dmz host can longer ssh or connect to a DB server on the lan(it could before). Nothing seems to get logged with a $IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD DENY: " rule. And when I disable the FW and enable the plain routing it seems to be able to connect ok. At a loss as to why this would not work without logging something. Firewall and Webserver are FC1, DB server is Redhat AS3. Could someone suggest some ideas on debuging this? Any ideas gratefully received. Greg
