Re: iptables problem getting url's hosted inside
On Tue, May 18, 2004 at 07:00:15AM -0500, hanasaki wrote:
> external internet - firewall - internal web server
> internet traffic on port 80 is passed to the internal web server
> external internet based browsers can hit the server
> inernal based browsers cannot
> What iptables runs are needed to let the internal browsers hit the
> internal server with the external IP
Could you post your NAT rules? iptables -L -t nat -nvx would do it. Also,
a your iptables rules (maybe just the pertinent ones) with a snippet
of iptables -L -nvx.
In general, problems like this are usually caused by one of three
1) NAT is not being done properly
2) Asymmetric routing is causing the translated packets from your
internal net to go out some odd interface, and never return.
3) The iptables ruleset is not configured to allow connections to your
webserver with a source of your internal LAN (one related question -
if you are doing SNAT for your internal network, this could also
complicate things - you may have a rule that allows the internal net
access to the webserver on port 80, but the packets are appearing on
the firewall's external interface with the SNAT address you are using,
causing the DROP/REJECT).
A tcpdump on your firewall's external interface will tell you if you
are inadvertently NAT'ing traffic from the internal LAN to the
webserver. If you are logging all DROPs, you can also tail your syslog
to see the packet details of the dropped packets.