RE: Can't get out to web sites

[Stewart Thompson]

Ian:

        Now that you have changed the address with prerouting. You need
        A forward rule for each one I believe. Something like this:

$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -m state --state
NEW,ESTABLISHED,RELATED \
-d $MAILSERVER --dport 25 -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -m state --state
NEW,ESTABLISHED,RELATED \
-d $WEBSERVER --dport 80 -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -m state --state
NEW,ESTABLISHED,RELATED \
-d $WEBSERVER --dport 443 -j ACCEPT

        Perhaps you have already thought of that, but I didn't see it in your rules
below.

Stu..........

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Ian Truelsen
Sent: April 10, 2002 6:52 PM
To: Iptables User List
Subject: Can't get out to web sites

Sorry if this ends up being a stupid question, but I am just beginning with
Iptables.

I have a new firewall box that I am setting up with Iptables. Initially, I
had only a masquerading rule on it which gave me access to the web from my
LAN, but did not get mail to my mail server or http requests to my web
server. So, added three extra rules to try and work that out. Here is what I
have now:

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

iptables -t nat -A PREROUTING -p tcp --destination-port 25 -j DNAT --to
192.168.100.1:25
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j DNAT --to
192.168.100.1:80
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j DNAT --to
192.168.100.1:443

# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

The 192.168.100.1 is the server that has the web and email servers on it.

The problem now is that a) I cannot access my web server from within the LAN
by using just the www.ihtruelsen.2y.net, which is what I used to be able to
do, I now have to use the machine name as well, in this case
dark-lord.ihtruelsen.2y.net and b) my LAN machines can no longer get to web
sites, but can ping to the internet.

On the other hand, the mail is getting in, and, if you are reading this, it
gets out as well.

I am sure that I have missed something, but I am still not at all sure why
this would fail in this particular way. Could someone give me a hint as to
why this is acting the way that it is?

Ian Truelsen
Masters program in Philosophy
University of Manitoba, Winnipeg, Canada
BA (Wilfrid Laurier University)
Email: [EMAIL PROTECTED]