[oclug]iptables nat problem
linuxinfo at sgl.com
Wed Jan 15 15:17:27 EST 2003
I have been trying for days to get https port forwarding working. I
have a DMZ with an inner and outer firewall and a webserver in the
middle. I can access the webserver from inside the DMZ or from inside
the inner firewall, but I can't access it from outside the outer firewall.
What is weird is that the port forwarding works through the inside
firewall. I even tried the same rules set but modified them for the
different IP's and direction.
I have also tried the simplest rules set.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -A PREROUTING -i eth0 -d aaa.aaa.aaa.aaa -j DNAT --to
This does not work completely. It passes the SYN packet through to
bbb.bbb.bbb.bbb but there is no ACK response. If I put a test node in
the b-network and go directly to bbb.bbb.bbb.bbb everything works fine
(services respond). If I put a test node in the c-network and go through
the inner firewall to bbb.bbb.bbb.bbb.bbb everything works fine. My
problem is only when I try to traverse the outer firewall. And here is
another puzzle piece, on the outer firewall I have port forwarding
enabled for smtp and it works fine. If I transpose the exact same rule
set to https on the same box it does not work.
The web server does not rack up any clock cycles when the packet from
the a-network arrives although the packet sniffer on that box registers
the SYN packet arriving.
Does any of this make any sense to anybody? It doesn't to me.
All help appreciated.
More information about the OCLUG