Greg, This might be real dump but do you have IP forwarding enabled? If you do then NAT's isn't necessary between the LANs. Gary > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Greg Cope > Sent: Tuesday, January 25, 2005 2:07 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Help debugging iptables firewall.... > > Bingo. > > Seemed to have solved it. I noticed that without the firewall running > the following rule was in the stop section: > > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE > > Looking at the tcp dumps when it "worked" without the firewall the db > server thought it was talking to the firewall. > > When the firewall was on the db server was failing to talk to the > webserver, and the conection packet got through, but there never > seemed to be an ack packet backout. > > I am a bit confused, but it seems to work now - which is good until > tomorrow morning. > > Thanks for your help. > > Not sure what the right way to do it is. I suppose the LAN should be > masqueraded to the DMZ hosts, as the DMZ hosts should not have > detailed knowledge of the LAN side. > > Greg
