On Tue, May 18, 2004 at 07:00:15AM -0500, hanasaki wrote: > external internet - firewall - internal web server > > internet traffic on port 80 is passed to the internal web server > external internet based browsers can hit the server > inernal based browsers cannot > > What iptables runs are needed to let the internal browsers hit the > internal server with the external IP
Could you post your NAT rules? iptables -L -t nat -nvx would do it. Also, a your iptables rules (maybe just the pertinent ones) with a snippet of iptables -L -nvx. In general, problems like this are usually caused by one of three things: 1) NAT is not being done properly 2) Asymmetric routing is causing the translated packets from your internal net to go out some odd interface, and never return. 3) The iptables ruleset is not configured to allow connections to your webserver with a source of your internal LAN (one related question - if you are doing SNAT for your internal network, this could also complicate things - you may have a rule that allows the internal net access to the webserver on port 80, but the packets are appearing on the firewall's external interface with the SNAT address you are using, causing the DROP/REJECT). A tcpdump on your firewall's external interface will tell you if you are inadvertently NAT'ing traffic from the internal LAN to the webserver. If you are logging all DROPs, you can also tail your syslog to see the packet details of the dropped packets. Doug
