On Sun, 2012-09-02 at 13:48 +0200, mabra@xxxxxxxxxxxx wrote: > Ok, configured Outlook to make better replies ;-) Good stuff, although my previous comment still stands :) > #from extern to apache [apache using 192.168.2.254]: > $IPTABLES -t nat -A PREROUTING -i eth1 -d $EXTADDR -p tcp --dport 80 -j DNAT --to-destination $INTADDR > > #from LAN machines [coming from 192.168.2.0/24]: > $IPTABLES -t nat -A PREROUTING -i eth0 -d $EXTADDR -p tcp --dport 80 -j DNAT --to-destination $INTADDR Why are you using DNAT here? Does Apache not respond to each IP address that the server has? Have you set Apache to listen on all interfaces/IP addresses? (See the "Listen" directive). > This works fine. But if I am logged onto the firewall machine and use > iceweasel interactively [on the gnome desktop] and or curl/wget from > a cron job, this fails. I get a request timeout. This, in turn, may indicate, > that I am missing a backward rule. Possibly you are dropping traffic from the local network device. To check whether this is the case, I recommend temporarily removing *all* iptables rules (and setting the default policy to ACCEPT). If it then starts working, you know that the problem is that you are dropping packets somewhere with netfilter. The output of "iptables-save" would be useful at this point. > Thank you for your replies so far!! No problem. > > A process running on the same machine that iptables is running on. > > Packets to/from the local process will go via the INPUT/OUTPUT chains instead > > of FORWARD. > > From network programming, a process must to bind to an ip-address or > interface. Does your statement mean, that roting never happens in the > local machine ? The packets will still traverse the various parts of the network stack, but I guess there isn't really routing as such to do, although there's nothing to stop you forcing routing to a network outside of your machine. > If there is routing, then there is the POSTROUTING's SNAT > which would help me. I am just thinging about making an additional interface, > say, "eth0:0=192.168.1.1". In this case, can I have iptables route the > packet to this interface? Then this would be another network! I'm not sure I understand. I think you are complicating the problem unnecessarily. If you want to access local processes via networking on the local machine, then there is no need for fancy routing or address translation. Andy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
