Hi,
I have a gateway acting as the firewall for my network and i am trying to do somethign that seems simple but i cannot seem to work it out.
Behind our firewall is a outlook web access server. from the internet it is accessed by dns name webmail.xxx.xxx and points to a virtual ip 141.xxx on the external Nic.
However if you are connected to the internal network and try to access webmail.xxx or 141.xxx it fails
Is there some obvious rule to allow internal clients to access a port hosted on an external ip.
Cheers
IPTABLES FILE if that helps (eth0 is the external interface)
# Generated by iptables-save v1.4.12 on Mon Aug 13 15:09:41 2012
*nat
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
REROUTING ACCEPT [0:0]
OSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -p tcp -m tcp -i eth0 --dport 443 -j DNAT --to-destination 192.168.1.250:443
-A PREROUTING -p tcp -m tcp -i eth0 --dport 993 -j DNAT --to-destination 192.168.1.250:993
-A PREROUTING -p tcp -m tcp -i eth0 --dport 25 -j DNAT --to-destination 192.168.1.250:25
-A PREROUTING -p tcp -m tcp -i eth0 --dport 26 -j DNAT --to-destination 192.168.1.250:25
-A PREROUTING -p tcp -m tcp -i eth0 --dport 587 -j DNAT --to-destination 192.168.1.250:587
-A PREROUTING -p tcp -m tcp -i eth0 --dport 1723 -j DNAT --to-destination 192.168.1.28:1723
-A PREROUTING -p gre -i eth0 -j DNAT --to-destination 192.168.1.28
# Completed on Mon Aug 13 15:09:41 2012
# Generated by iptables-save v1.4.12 on Mon Aug 13 15:09:41 2012
*mangle
REROUTING ACCEPT [13:1873]
:INPUT ACCEPT [13:1873]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11:2369]
OSTROUTING ACCEPT [11:2369]
COMMIT
# Completed on Mon Aug 13 15:09:41 2012
# Generated by iptables-save v1.4.12 on Mon Aug 13 15:09:41 2012
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -m state -i eth0 -o eth1 --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 53 -j ACCEPT
-A INPUT -p udp -m udp -i eth1 --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 80 -j ACCEPT
-A INPUT -p icmp -m icmp -i eth1 --icmp-type any -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 3128 -j ACCEPT
-A FORWARD -p tcp -m tcp -i eth0 --dport 443 -j ACCEPT
-A INPUT -p icmp -m icmp -d 141.xx -i eth0 --icmp-type any -j ACCEPT
-A INPUT -p icmp -m icmp -d 141.xx -i eth0 --icmp-type any -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A FORWARD -p tcp -m tcp -i eth0 --dport 993 -j ACCEPT
-A FORWARD -p tcp -m tcp -i eth0 --dport 26 -j ACCEPT
-A FORWARD -p tcp -m tcp -i eth0 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -i eth0 --dport 1723 -j ACCEPT
-A FORWARD -p tcp -m tcp -i eth0 --dport 80 -j ACCEPT
-A FORWARD -p gre -i eth0 -j ACCEPT
COMMIT
# Completed on Mon Aug 13 15:09:41 2012
Bookmarks