On Wednesday 15 May 2002 9:37 am, Kenneth wrote: > I changed the script to just the following lines now but I still can not > access internal website. Other things are fine: > > /sbin/iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE > /sbin/iptables -P INPUT ACCEPT > /sbin/iptables -P OUTPUT ACCEPT > /sbin/iptables -P FORWARD ACCEPT > /sbin/iptables -t nat -A PREROUTING -p tcp -i $INET_IFACE -d $INET_IP > --dport 80 -j DNAT --to 192.168.1.200:80 > /sbin/iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -p tcp > -i $INET_IFACE -d 192.168.1.200 --dport 80 -j ACCEPT > echo 1 > /proc/sys/net/ipv4/ip_forward > /bin/echo 1 > /proc/sys/net/ipv4/ip_dynaddr > /bin/echo 1 > /proc/sys/net/ipv4/ip_forward > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done > > Any help ?
I don't see anything here which adds a rule to the FORWARDing chain to allow the replies back from the web server to the client !? Try changing your one FORWARDing rule for the following two instead: iptables -A FORWARD -m state --state NEW -d 192.168.1.200 -p tcp --dport 80 -i $INET_IFACE -j ACCEPT iptables - A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT The first rule will allow external access in to the web server (first packet) The second rule will allow the rest of the communication both ways. Hope this helps, Antony.
