LinuxQuestions.org - Nat/dnat Hell!! Help Please...

Hi,

I've look and tried every single post on the forum and I can't get it working. What is wrong???

I have a small network and I need to access my WebServer (10.10.1.1) through my proxy/firewall (10.10.1.2). But when I hit my external IP address it doesn't get through.

Please help me.

Thanks.

What do I need to do. This my firewall file:

-----------------------------------------------------

#!/bin/sh
# description: nat
# chkconfig: 2345 99 00

case "$1" in
'start')
#!/bin/bash
# Do iptables based masquerading and firewalling.

# Set default PATH
export PATH=/sbin:/usr/sbin:/bin:/usr/bin

# Load NAT modules
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc

# Load connection-tracking modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

# Disable response to broadcasts.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Log spoofed packets, source routed packets, redirect packets
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Clean old iptables
iptables -F
iptables -X
iptables -Z

# Allow forwarding through the internal interface
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Default forward policy to DROP
iptables -P FORWARD DROP

# Do masquerading through eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Port Forwarding
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.10.1.1:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 10.10.1.1:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.10.1.1:21
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.10.1.1:25
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.10.1.1:110
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.1.1:80
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.10.1.1:8080

# Firewall Rules

# Loopback - Allow unlimited traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# SYN-Flooding Protection
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP

# Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

# Fragments : Don't trust the little buggers. Send 'em to hell.
iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP

# Refuse spoofed packets claiming to be the loopback
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP

# Allow BootP/DHCP UDP requests
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT

# DNS
# Allow UDP and TCP packets in for DNS client from nameservers
iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT

# SSH
# allow all sshd incoming connections (including the port fw)
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT

# HTTP
# allow all http/https incoming/return connections
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT

# FTP
# allow all ftpd incoming connections
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT

# Enable active ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable passive ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable ident probes (IRC)
iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT

# Allow ICMP in if it is related to other connections
iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow bot traffic through
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT

# enable dcc
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT

# LOGGING:

# UDP, log & drop
iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i eth0 -p udp -j DROP

# ICMP, log & drop
iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i eth0 -p icmp -j DROP

# Windows NetBIOS noise, log & drop
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP

# IGMP noise, log & drop
iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
iptables -A INPUT -i eth0 -p 2 -j DROP

# TCP, log & drop
iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i eth0 -p tcp -j DROP

# Anything else not allowed, log & drop
# iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
# iptables -A INPUT -i eth0 -j DROP

touch /var/lock/subsys/nat
;;
'stop')
rm -f /var/lock/subsys/nat
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0

-----------------------------------------------------