Thanks for the reply!
The reason I have the two networks running parallel is because I am
switching internet access lines. I am currently on a shared T1, which is
quite slow, and I am migrating to a DSL line, which is much faster. I am
also trying to incorporate the firewall into the network and thought it
would be as good a time as any. I know it sounds a little strange. Omar
Acosta sent me some rules that worked on getting to the internal Web server
from an external network. I've included them here.
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport $PORT -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport $PORT -d $EXTIP
-j DNAT --to-destination $PORTFWIP
$IPTABLES -t nat -A POSTROUTING -o $INTIF -p tcp --dport $PORT -d
$PORTFWIP -j SNAT --to-source $INTIP
Travis Crook
Visions Beyond
----- Original Message -----
From: "Antony Stone" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 20, 2002 3:58 PM
Subject: Re: port forwarding in iptables
> On Monday 20 May 2002 10:41 pm, Travis Crook wrote:
>
> > The internal web server that I am running has a connection to
> > the internet through the firewall plus it has an external connection of
> > its own (2 nics, one connected to the LAN the other connected to the
> > internet - separate from the firewall connection).
>
> Let me make sure I understand this setup correctly:
>
> You have a Firewall connected to the Internet and to your internal LAN,
and
> you have a web server also connected to the Internet and to your internal
> LAN, so the two machines, in effect, are in parallel.
>
> Why ???
>
> > I can't seem to get
> > connections established to the internal address on the Web server when I
> > make a request to it through the firewall. I can connect to it when I
> > type the ip address in from the internal network.
>
> I'm not surprised. The web server will have a routing table on it which
> tells it to use its own direct connection to the Internet for replying to
the
> outside world, therefore any request which it received from an external
> address will be replied to diectly, not through the Firewall.
>
> If you've got NAT running on the Firewall, this means the client will get
a
> response from a machine it didn't expect; if you haven't then you're
probably
> just upsetting some upstream router which is only seeing half the packets.
>
> I hope I've got this picture of your network correct.
>
> Please tell us either why you have done it like this, or what I've got
wrong.
>
>
>
> Antony.
>
>
