Quote:
Here is my rules.I have already turned ipforwading in /etc/sysctl.conf
.
.
.
#iptables -t nat -A POSTROUTING -o eth2 -s 10.10.10.0/24 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth1 -s 10.10.10.0/24 -j MASQUERADE
#iptables -t nat -A PREROUTING -d <staticIp1> -p tcp --dport 80 -j DNAT --to-destination 10.10.10.75:80
#iptables -t nat -A POSTROUTING -s 10.10.10.75 -j SNAT --to-source <staticip1>
#iptables -t nat -A OUTPUT -p tcp --dst <staticIP1> --dport 80 -j DNAT --to-destination 10.10.10.75:80
#iptables -t nat -A PREROUTING -d <staticIp2> -p tcp --dport 80 -j DNAT --to-destination 10.10.10.75:80
#iptables -t nat -A POSTROUTING -s 10.10.10.75 -j SNAT --to-source <staticip2>
#iptables -t nat -A OUTPUT -p tcp --dst <staticIP2> --dport 80 -j DNAT --to-destination 10.10.10.75:80
.
.
.
|
Well, hopefully, that pound sign at the beginning of the line is supposed to indicate that you're issuing those commands while logged in as root. If not that could be your problem.
I have a similar set of commands for redirecting HTTP traffic to an internal web server. My hardware configuration is a little different. Instead of using multiple ethernet interfaces, I have multiple IPs aliases onto a single external interface (eth1). I don't think the difference is significant.
In my firewall setup, I use:
Code:
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
.
.
.
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
.
.
.
iptables --append OUTPUT --protocol all --source 127.0.0.1 --jump ACCEPT
iptables --append OUTPUT --protocol all --source ${INTERNAL_IP} --jump ACCEPT
iptables --append OUTPUT --protocol all --source ${EXTERNAL_IP} --jump ACCEPT
.
.
.
[ a whole bunch of filtering/logging commands ]
.
.
.
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -t nat -F POSTROUTING
.
.
.
iptables --table nat --append POSTROUTING --out-interface eth1 --jump SNAT --to-source ${EXTERNAL_IP}
.
.
.
iptables --table nat --append PREROUTING --in-interface eth1 --destination ${EXTERNAL_IP}--source ${ANYONE} --protocol tcp --destination-port 80 --jump DNAT --to-destination ${WWW_IP}:80
where $EXTERNAL_IP is the IP address on the dirty side of the firewall, $ANYONE is "0/0", and $WWW_IP is the internal IP address (192.168.what.ever). I only showed one of the PREROUTING commands I have set up.
Now the only difference that I see -- other than my use of the long option names -- is what's specified in the "-s" or "--source" switches. And the way you've setup the OUTPUT. I also don't have any of the commands that include the MASQUERADE target. If you have static IP addresses (and you said you do), I think the MASQUERADE target can cause problems. See the iptables(8) manpage where the target extensions are discussed. I suspect you'll need to switch those to use the SNAT target.
Hope this give you some ideas to try...
--
Rick
