iptables and EXTIP access from LAN
I posted this a few days ago under "Security" and haven't received a response. Forgive me if I'm being impatient, but I suspect that "Security" may not be the right forum for my question.
I have a RedHat 7.2 box configured as a firewall with IP masquerading. The setup is rather basic: DSL ROUTER <-> FIREWALL <-> SWITCH <-> (WEBSERVER, INTERNAL MACHINE 1, INTERNAL MACHINE 2, ETC) and for the most part works fine. External machines are able to access the webserver through the firewall, and internal machines can access the webserver via its LAN IP address. The problem I have is that internal machines can't reach the webserver via the firewall's EXTIP address. In other words, if I "telnet mydomain.com 80" on an internal machine, DNS (from outside my LAN) returns the correct IP address but the machine can't establish a connection, whereas the same test works fine if I perform it on a machine outside the firewall. In summary, it seems there's a problem with machines on the LAN accessing other machines on the LAN through the firewall.
I'm using the seemingly-standard rc.firewall 0.63 script (copied off linuxdoc.org), with a few modifications for allowing external access to my LAN. I figure I need to add a rule that forwards port 80 LAN traffic destined for the firewall EXTIP address to the webserver, but haven't been able to make it work. I've been looking all over for help and can't find what I need, so I'd love to hear everyone's suggestions on what might be wrong. Let me know if I should post my iptables config (or anything else).