Iptables and portforwarding to an internal webserver.
Ken Bradford
ken at alpha2.com
Wed Jun 9 11:36:59 EDT 2004
I've run into a snag forwarding ports 80 & 443 to an internal webserver for
a client. I _thought_ everything was fine. I could access their webserver
from my office just fine, but it turns out they can't access it internally
by going to the public address. Were using Firestarter 0.8.2 (it's a RH7.2
box). The pertinent code is:
$IPT -A FORWARD -p TCP -d 192.168.20.5 --dport 80 -j ACCEPT
$IPT -A PREROUTING -t nat -p TCP -d $NET --dport 80 -j DNAT --to
192.168.20.5:80
$IPT -A FORWARD -p TCP -d 192.168.20.5 --dport 443 -j ACCEPT
$IPT -A PREROUTING -t nat -p TCP -d $NET --dport 443 -j DNAT --to
192.168.20.5:443
I tried changing this to:
$IPT -A FORWARD -p TCP -d 192.168.20.5 --dport 80 -j ACCEPT
$IPT -A PREROUTING -t nat -p TCP -d $NET --dport 80 -j DNAT --to
192.168.20.5:80
$IPT -A PREROUTING -t nat -p TCP -d $INNET --dport 80 -j DNAT --to
192.168.20.5:80
$IPT -A FORWARD -p TCP -d 192.168.20.5 --dport 443 -j ACCEPT
$IPT -A PREROUTING -t nat -p TCP -d $NET --dport 443 -j DNAT --to
192.168.20.5:443
$IPT -A PREROUTING -t nat -p TCP -d $INNET --dport 443 -j DNAT --to
192.168.20.5:443
But this did not help. It does not seem to be a local dns issue.
$IPT = iptables
$NET = external interface/netmask
$INNET = internal interface/netmask
Anything obvious, or not so obvious, that I'm missing? Any suggestions?
Ken Bradford
Alpha II Service, Inc.
More information about the colug
mailing list