cannot access web server from LAN

puding · 09-05-2004, 08:54 PM

Hi there,

Why did my pc in LAN cannot access a website in the webserver that are using a real ip that is not even sit behind the firewall, but still through the 3rd network card in firewall server.

The website is succesfull access by the internet but not the intranet.

Why is it happen? Is that because of my iptables rules??

Thanks in advance.

zatriz · 09-06-2004, 12:35 AM

yes if its on the third nic then that means that its mostly a DMZ and you would have no need of going to it because its for your own protection. Thats what they are there for, but yes if you wanted to get access to that webserver a few iptables rules will let you have access to it.

puding · 09-06-2004, 01:20 AM

It is seems to be as a DMZ, but it didn't located behind the firewall and i never do any ip aliasing.

The ip configuration is such like this :

EXTERNALIF = "eth0"
EXTERNALADDR = "201.139.100.90"

INTERNALIF = "eth1 \ eth2"
INTERNALADDR = "192.168.1.251 \ 201.139.31.250"

which the web server is in the same range of ip with eth2 (dmz)

and I put some rules as simple as this for port fowarding:

$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d 201.139.31.2 --dport 80 -j DNAT --to 2011.139.31.2:80
$IPTABLES -A FOWARD -i $EXTERNALIF -p tcp -d 201.139.31.2 --dport 80 -j ACCEPT

I try to use the same rules for LAN, which i just switch the EXTERNALIF to INTERNALIF, but it didn't work.

Do anybody can suggest me what is the exact rules for this

Thanks in advance

zatriz · 09-06-2004, 01:25 AM

$IPTABLES -A FOWARD
see if it makes a differences when you spell it correctly
FORWARD

puding · 09-06-2004, 01:34 AM

i'm sorry...i misspelt it in this forum but not in the iptables..

zatriz · 09-06-2004, 01:40 AM

what are the effective ip addresses of all the interfaces
eth0
eth1
eth2
just give me the last 2 octets.

puding · 09-06-2004, 01:45 AM

is this what u mean??

eth1 = "192.168.1.0/24"
eth2 = "201.139.31.0/24"

I'm sorry zatriz, but i don't understand what do u mean by effective ip addresses.

zatriz · 09-06-2004, 01:48 AM

when you do ifconfig on the actual firewall what are the ip addreses there
and what is 201.139.31.2 for

puding · 09-06-2004, 01:55 AM

eth0 = 201.139.100.90 (1st NIC) - this card going out to internet (EXTERNALIF)
eth1 = 192.168.1.251 (2nd NIC) - this card is for LAN (DHCP)
eth2 = 201.139.31.250 (3rd NIC) - this is for DMZ (for server farm)

And 201.139.31.2 is ip address for the web server that i put it in the same vlan and same range with the 3rd card.

Hope this will answer you.

Thank you

karunesh · 09-06-2004, 09:35 PM

Pls post your complete firewall(iptables) rule list...

puding · 09-06-2004, 11:57 PM

unfortunately, yesterday we changed the firewall tu win2k server, it's a direction from my it administrator from the center. recently i'm a little bz with the conversation process. can karunesh give me your mail, i'll provide to you the iptables rules...
thank u

zatriz · 09-07-2004, 12:06 AM

Im thinking you need a rule to do nat to the dmz from local network
so from eth1 to eth2

$IPTABLES -A PREROUTING -t nat -i eth1 -p tcp -d 201.139.31.2 --dport 80 -j DNAT --to 2011.139.31.2
$IPTABLES -A FORWARD -i eth1 -p tcp -d 201.139.31.2 --dport 80 -j ACCEPT
might do it but yeah post your whole iptables ruleset