Hi!

I have a computer with two interfaces eth0(LAN) and eth1(WAN).

I have followed some guides on the internet and came up with this iptables configuration:

# Generated by iptables-save v1.4.4 on Wed Apr 20 09:43:12 2011
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j DNAT --to-destination 192.168.0.254:80
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Wed Apr 20 09:43:12 2011
# Generated by iptables-save v1.4.4 on Wed Apr 20 09:43:12 2011
*mangle
:PREROUTING ACCEPT [448:61429]
:INPUT ACCEPT [370:36685]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [330:136355]
:POSTROUTING ACCEPT [330:136355]
COMMIT
# Completed on Wed Apr 20 09:43:12 2011
# Generated by iptables-save v1.4.4 on Wed Apr 20 09:43:12 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth1 -p icmp -m icmp --icmp-type any -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m limit --limit 5/sec -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Wed Apr 20 09:43:12 2011


The computer is the network gateway. I have Apache installed in it.
How can I forward HTTP requests on eth1 to the Apache server (port 80)?

It is currently not working.

Thanks in advance

As I can understand the server in picture is a network gateway. You have installed Apache on it and you want this server to act as webserver.

As you said it is not working does that mean you are able to access default http page within the network but not from outside network/internet?

Paste the IP addresses/configuration of both eth0 and eth1 in the thread.

Paste the http.conf contents here in the thread.

Sorry, this might be out of topic; but in this rule you have blocked all icmp packets coming in, this could lead to a blackhole situation, which is not good.

This has been described in rfc2923.