On Fri, Aug 22, 2008 at 10:07:53AM +0700, ????????? ????z??up?????? ??z?????? ????????? wrote: > ## Forward port 80 ke mail server > /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.169.51.119 > --dport 80 -j DNAT --to-destination 172.16.0.2 This looks like you're redirecting from your external interface's port 80 to another server. Presumably there's nothing listening on port 80 on your DMZ server? > problem : > i cant browse to my-sub.domain.ext from network > but i can browse my-sub.domain.ext from external ( other place ) > > The following error was encountered: > > * Connection to 202.169.51.119 Failed > > The system returned: > > (111) Connection refused Your proxy is connecting from a different interface (eth2 I think) and therefore the connection to port 80 is not being redirected to the mail server. You *may* be able to solve this by also redirecting the connection from your proxy server, but you'll also need to use source NAT so your mail server's www service sends its replies to your DMZ server. Without the SNAT, the mail server will reply directly to the proxy server, and that will confuse the proxy because it thinks it's talking to your external IP. The other common solution to this problem is to use so-called "split horizon DNS", whereby you have internal DNS servers which return the internal address (i.e. my-sub.domain.ext will resolve to 172.16.0.1, rather than your external IP) but your external DNS servers will return your external address. That way your clients inside the network get the correct address. Depending on how your squid is doing DNS lookups, you may be able to add an entry to the /etc/hosts file on your proxy server and then explicitly configure the proxy for your clients. If that works this might provide an acceptable short-term solution.
