Hi Everyone, I'm trying to allow my users who's connected on my lan to connect to my internet web server.
My web server and my clients are behind my firewall (netfilter kernel 2.4.9). My firewall preroute any packet to his ip to the local web server ip ( 192.168.1.1 to -> 192.168.1.4 (webserver) ). When my clients try to access the web server's domain, (which has an internet ip), it says connection refused, just like if the forwarding was not done adequately when access the web server from the internet by my users. When I try to access my domain from the internet ( like from another isp or connection ) it works perfectly.. I suspect my netfilter rules are not good.. if someone could help me on this one I would appreciate.. NOTE: my web server, firewall and client workstations are not on the same machine. Here's the firewall rules (using iptables 1.2.3) : #!/bin/sh # Script FIREWALL modprobe=/sbin/modprobe /sbin/depmod -a $modprobe iptable_nat $modprobe ip_tables $modprobe ip_conntrack $modprobe ip_conntrack_ftp $modprobe ipt_MASQUERADE iptables=/sbin/iptables WEBSERVER_IP=192.168.1.4 WANDEV=eth0 INTDEV=eth1 INTADDRESS=`/sbin/ifconfig $INTDEV | grep "inet addr" | awk '{print $2}' | cut -c6-20` INTNETMASK=192.168.1.0/255.255.255.0 WANADDRESS=`/sbin/ifconfig $WANDEV | grep "inet addr" | awk '{print $2}' | cut -c6-20` echo "L'addresse interne est : $INTADDRESS et l'addresse internet est : $WANADDRESS" #Flush tous les regles flush() { echo "Je flush tous les regles" $iptables -t nat -F PREROUTING $iptables -t nat -F POSTROUTING $iptables -t nat -F OUTPUT $iptables -F INPUT $iptables -F OUTPUT $iptables -F FORWARD } allow_server_connections() { # allowing my lan clients to connect to my domain and get redirected to the local one.. $iptables -t nat -A PREROUTING -s $INTNETMASK --dst www.mydomain.com --protocol tcp --destination-port 80 -j DNAT --to-destination $WEBSERVER_IP:80 # allowing pop server connection $iptables -t nat -A PREROUTING -i $WANDEV -p tcp -d $WANADDRESS --dport 110 -j DNAT --to-destination $WEBSERVER_IP:110 # allowing web server connection $iptables -t nat -A PREROUTING -i $INTDEV -p tcp -d $WANADDRESS --dport 80 -j DNAT --to-destination $WEBSERVER_IP:80 $iptables -t nat -A PREROUTING -i $WANDEV -p tcp -d $WANADDRESS --dport 80 -j DNAT --to-destination $WEBSERVER_IP:80 # allowing jabber server connection $iptables -t nat -A PREROUTING -i $WANDEV -p tcp -d $WANADDRESS --dport 5222 -j DNAT --to-destination $WEBSERVER_IP:5222 # allowing clients to ftp to their sites $iptables -t nat -A PREROUTING -i $WANDEV -p tcp -d $WANADDRESS --dport 21 -j DNAT --to-destination $WEBSERVER_IP:21 } start() { # call the flush function.. flushing rules flush echo "J'active nat.." # call the allow... function.. allowing web server connections.. I suspect this one is wrong allow_web_server_connections #Turn NAT on. $iptables -t nat -A POSTROUTING -s $INTNETMASK -o $WANDEV -j MASQUERADE echo "Activating ip forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr $iptables -A INPUT -i $INTDEV -s 127.0.0.1 -j ACCEPT $iptables -A FORWARD -i $INTDEV -j ACCEPT $iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 --log-prefix "IPT FORWARD packet died:" } case "$1" in start) start ;; stop) flush ;; *) echo "Usage firewall start | stop " exit esac exit 0 Thanks in advance! David Rainville