[oclug]iptables nat problem

[Chris Church]

  I have been trying for days to get https port forwarding working. I 
have a DMZ with an inner and outer firewall and a webserver in the 
middle. I can access the webserver from inside the DMZ or from inside 
the inner firewall, but I can't access it from outside the outer firewall.

What is weird is that the port forwarding works through the inside 
firewall. I even tried the same rules set but modified them for the 
different IP's and direction.

I have also tried the simplest rules set.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -Z

iptables -t nat -A PREROUTING -i eth0 -d aaa.aaa.aaa.aaa -j DNAT --to 
bbb.bbb.bbb.bbb

This does not work completely. It passes the SYN packet through to 
bbb.bbb.bbb.bbb but there is no ACK response. If I put a test node in 
the b-network  and go directly to bbb.bbb.bbb.bbb everything works fine 
(services respond). If I put a test node in the c-network and go through 
the inner firewall to bbb.bbb.bbb.bbb.bbb everything works fine. My 
problem is only when I try to traverse the outer firewall. And here is 
another puzzle piece, on the outer firewall I have port forwarding 
enabled for smtp and it works fine. If  I transpose the exact same rule 
set to https on the same box it does not work.

The web server does not rack up any clock cycles when the packet from 
the a-network arrives although the packet sniffer on that box registers 
the SYN packet arriving.

Does any of this make any sense to anybody? It doesn't to me.

All help appreciated.

Chris