Hi, Newbie here

I'm struggling to get my firewall to do what I need.

Setup is ...

Internal network is protected from the internet via a linux box firewall that does all the port forwarding to the local servers that need internet visibility.

Local machine internet browsing all goes though proxy which is another separate linux box.

I need a local server to be able to fully see and communicate with a remote server without going through the proxy. I have put a proxy bypass entry in the server but I don't seem to be able to get the iptables rules correct to see the remote server.

The rules I have tried are

iptables -A INPUT -d xxx.xxx.xx.xxx -j ACCEPT
iptables -A FORWARD -d xxx.xxx.xx.xxx -j ACCEPT
iptables -A INPUT -s xxx.xxx.xx.xxx -j ACCEPT
iptables -A OUTPUT -d xxx.xxx.xx.xxx -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE

xxx.xxx.xx.xxx is the remote server ip address

TIA

Mark

You really need to post more information...

How are you using the proxy? Manually? Automatically? Transparently?

What do you mean by "fully see and communicate"? How is it trying to communicate, what protocol, what port, etc.

Do the remote and/or proxy servers have firewall rules getting in the way.

Etc....

I don't intend any traffic for this to go through the proxy, I want it to go through the firewall box.

I'm looking to open all ports to the remote server and the firewall with need to NAT the packets back to the local server inside on the LAN

... and you answered a total of ZERO of the questions I asked, trying to obtain further information in order to help YOU.

It's a manual proxy that all the browsers are configured to use to get out to the internet. I have put a proxy bypass in for the remote IP I'm trying to get to which takes the default route through the firewall.

I want all ports, all protocols open to the one remote server.

Sorry missed this question. No, in a test I can see a webpage hosted on the remote server when I go through my proxy, but when I go proxy bypass I can't get to it.

The proxy server and firewall on my site are 2 separate boxes.

I basically want the firewall to operate as a NAT box but only to the one internet IP address

Anyone?

Either configure the proxy to allow traffic between the local and remote server, or use a different gateway device for the local server. Which device are the rules you posted for?

What is the function of the two servers? Which ports do they need?

I'm needing rules for the CentOS firewall/gateway machine.

I'm told that I just need ports 80 and 443 but these should be fine through our proxy but just aren't.

Machine A need to be able to talk through the firewall/gateway to machine B and only machine B

I believe that you are on the right track with your iptables script, but may have been using the wrong approach. See the following: http://www.linuxhomenetworking.com/w...les#Static_NAT

I think you need to use the PREROUTING and POSTROUTING functions of iptables, rather than the forward and output. While masquerade MAY achieve your goal, I don't think it is necessarily the right approach. I am not trying to be obtuse in my reply, I am not expert enough in iptables to give you a direct solution. I think you are after the function referred to as SNAT for mapping hosts 1:1, where as masquerade is a 1:many mapping.

The second thing I would look into is running a traceroute between the two hosts, in both directions. This will help you to make sure that packets get directed through the proper gateway and tell you if traffic is getting stopped at a particular point, in which case you know where to look. Remember that traffic needs to go both directions AND that return traffic will NOT be on the service port, but on a random, higher, port number.

Problem solved, I had typed ACCEPT in the firewall rules rather than MASQUERADE

Thanks