** Reply to message from Edward Marczak <[EMAIL PROTECTED]> on Tue, 03 Dec 2002 09:45:10 -0500
> On 11/28/02 5:37 AM, "Lisa" <[EMAIL PROTECTED]> tapped the keys: > > > I was wondering if someone could help me with the following as I am new to > > linux: > > > > I have a firewall with 1 external n/w card and 1 internal n/w card. > > > > A number of machines on the LAN are on this firewall. I have apache running > > on one of the machines inside the firewall. I have one other person who dials > > in from home (outside the f/w using dynamic ip) He wants to be able to connect > > to the instance of apache which running the internal machine. > > > > I have tried using DNAT to route any traffic coming in from his range of ip > > address to the internal machine, port 80. This doesn't seem to work. I have > > opened up port 80 on the firewall . > > > > Eventually I will have to put in a rule that allows packets from any external > > address to be sent to this machine using port 80. > > > > Could some help me with either of these problems A couple of nitpicks: > If you're using SNAT/Masqerading and have forwarding enabled, try this: > > iptables -A FORWARD -i eth0 -o eth1-p tcp --dport 80 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT This should always be preceded by this line which ensures only SYN packets are seen as NEW: /sbin/iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP > iptables -A PREROUTING -t nat -p tcp -d ext.ip.add.ress --dport 80 -j DNAT > --to int.ip.add.ress:80 > > Where eth0 is your external interface and eth1 is internal. Modify as > needed. When natting to another box, one doesn't have to specify the natted port if it is the same port as the original. IOW, you could have left off the :80 after --to int.ip.add.ress and it would have been shunted to port 80 anyway. jb -- Jack Bowling mailto: [EMAIL PROTECTED] -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list