Hi I have asked this question previously so I just want to clarify that I am correct. I have set up a 2-interface firewall. I wish to forward port 80 on the external IP address interface to an internal IP address on port 80. Both Interfaces are static IP''s. I have installed the 2 Interface example files. I then added the DNAT rule to the rules file as follows DNAT net loc:10.40.0.54 tcp 80 This is the only change I did to the Rules file. yet when I test the address from externally it does not work. I have followed the FAQ and all seems correct, is there something I may be missing? Thanks for our assistance in advance Quentin
Quentin wrote:> Hi > > > > I have asked this question previously so I just want to clarify that I > am correct. > > > > I have set up a 2-interface firewall. I wish to forward port 80 on the > external IP address interface to an internal IP address on port 80. Both > Interfaces are static IP’s. I have installed the 2 Interface example > files. I then added the DNAT rule to the rules file as follows > > > > DNAT net loc:10.40.0.54 tcp 80 > > > > This is the only change I did to the Rules file. yet when I test the > address from externally it does not work. I have followed the FAQ and > all seems correct, is there something I may be missing? > >Maybe that your ISP is blocking port 80? I guess I''ll have to make a FAQ out of this: a) As root, type "iptables -t nat -Z" -- this resets all of the iptables counters in the nat table. b) Try to connect from an external host c) As root, type "shorewall show nat" d) In the output, locate the DNAT rule for port 80 -- it will be in a chain called "loc_dnat". e) Is the packet count in the first column non-zero? If so, the connection request is reaching the firewall and is being redirected to port 80 on 10.40.0.54. In that case, the problem is usually a missing or incorrect default gateway on 10.40.0.54. f) If the packet count is zero, the connection request is never reaching your firewall OR you are trying to connect to a secondary IP address on your firewall (the rule that you have will only redirect the primary IP). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hi Ok I checked the Nat table and the pkts column is showing 0. I have also checked the gateways and the internal machine''s gateway is the internal IP on the Firewall (10.40.0.5). There is a Apache Web Server running on the firewall on port 80. Would this cause a problem in the forwarding? Also I have only one gateway set on the external interface (eth0) and the internal one has no gateway. I assume this is correct. When I test from external The http error that comes up is error 500. This shows that the request is coming through to the firewall but it looks like it isn''t getting any further. Anything else I should check as all looks in place. Thanks for your assistance once again Quentin
Quentin wrote:> Hi > > > > Ok I checked the Nat table and the pkts column is showing 0. I have > also checked the gateways and the internal machine''s gateway is the > internal IP on the Firewall (10.40.0.5). There is a Apache Web Server > running on the firewall on port 80. Would this cause a problem in the > forwarding?No.> Also I have only one gateway set on the external interface > (eth0) and the internal one has no gateway. I assume this is correct.Yes.> When I test from external The http error that comes up is error 500. > This shows that the request is coming through to the firewall but it > looks like it isn''t getting any further.That claim is absurd. You have just shown that the connection request is NOT getting to your firewall because the packet count in your NAT rule is ZERO!!! Your firewall is logging all packets that it is either dropping or rejecting, correct? Do you see any log messages when you try to connect? Anything else I should check as> all looks in place. >I guess you are going to have to run a packet sniffer on your firewall while trying to connect to convince yourself that the connection requests either are not getting to your firewall OR the connection requests don''t look the way you think they do (not port 80, wrong IP, ...). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hi After checking he different options I found that the ISP is blocking all traffic into the router that is destined for particular addresss. After changing the external IP to the allowed address all worked fine. Thanks once again for your assistance Quentin
Quentin wrote:> > After checking he different options I found that the ISP is blocking all > traffic into the router that is destined for particular addresss. After > changing the external IP to the allowed address all worked fine. >Thanks for the update.> Thanks once again for your assistance >You''re welcome, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net