We know from the message that we fell off of the end of the FORWARD chain (because the --log-prefix "FORWARD blocked: " is the only one to match the message....
Carlos Pastorino wrote:
$IPTABLES -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $DMZ_IFACE -s $DMZ_RANGE -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $DMZ_IFACE -o $INET_IFACE -s $DMZ_RANGE
-d $0/0 --syn --dport domain -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $DMZ_IFACE -o $INET_IFACE -s $DMZ_RANGE
-d 0/0 --syn --dport ftp -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $DMZ_IFACE -o $INET_IFACE -s $DMZ_RANGE
-d 0/0 --syn --dport http -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $DMZ_IFACE -o $INET_IFACE -s $DMZ_RANGE
-d 0/0 --syn --dport smtp -j ACCEPT
$IPTABLES -A FORWARD -p UDP -i $DMZ_IFACE -o $INET_IFACE -s $DMZ_RANGE
-d 0/0 --dport domain -j ACCEPT
$IPTABLES -A FORWARD -p UDP -i $DMZ_IFACE -o $INET_IFACE -s $DMZ_RANGE
-d 0/0 --dport ntp -j ACCEPT
deleted a bunch of drop and logs, these aren't the problem
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -s 0/0 -j pre_analysis
I'm removing lines that deal with ports other than http
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -s
$MONITORING -d $DMZ_RANGE -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -s 0/0 -d
$DMZ_WEBSERVER --syn --dport http -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -s 0/0 -d
$DMZ_WEBSERVER --syn --dport https -j ACCEPT
[SOME FORWARD LINES SUPPRESSED]
$IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD blocked: "
Unfortunately, you've needed to obscure the actual ip address (I understand) but I can't match the 'customerip' and 'webserverip' to the ${variables} above because I don't know the actual values for any of them.
Try to walk through the rules in your forward chain using the ip addresses you've captured and identify the rule you believe should allow these ack packets to go out.
