I add to that, to give you that answer, I stopped squid (/etc/init.d/squid stop) and I commented (#PREROUTING -s 192.168.111.0/24 -d 190.xxx.xxx.89/32 -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128) the rule of port 3128, with which I went to the internet without proxy, but still did not work.

You want to say that you can not connect to your web server from outside (for example from home)? Right?
Have you tried to connect to IP and not to URL from outside world?

Yes, I cannot connect neither through IP public neither the URL fron outside world

In your first post said:
INET_IFACE="eth0"
INET_IP=200.xxx.xxx.89

But later you told:
eth0 190.xxx.xxx.89

What is IP address of your web server, which can be ping'ed from outside?

I send you through private or email... ok?

I do not need to know it.
I just want to understand address translation, because if you connect to outside world through ADSL router, this router has to have port forward from its external IP:80 to some internal IP:80. And you have to be able to ping it external IP.
I just want to make sure.

Is a router Debian Lenny (Squid-firewall), not adsl but cablemodem.
And you can see on iptables output that is able portforwading IP:80 to DMZ:80

External public IP is assigned to your cable modem, not to your Squid-firewall, right?
Can you ping cable modem from outside?
Does cable modem forward 80 port to inside network?

We continue tomorrow. Actually later today.

Yes, it's clear. I told you that IP dynamic public from cablemodem is redirected through Zoneedit. With that configuration webserver (Apache2) worked fine mounted on server 190.xxx.xxx.89, UNTIL I passed the webserver to the DMZ and on DMZ we applied portforwading to an subnet 192.168.222.0...
Because when set the IP DMZ on same LAN range 192.168.111.0 (for example 192.168.111.20) too worked fine...
I mean that the outgoing trafic works well, but there is troubles when I change the IP of DMZ to a range different of the LAN...

Yes... you rests :cool: and thanks for your support...

I'm going to sleep, I let this comment about the DMZ implementation with iptables/NAT etc... The text is extract from the Oskar Andreasson page, he's autor of the iptables script that I use on the server (maybe you know him)...
I'm thinking about some of this, and what that is the trouble... and the solution...

--------paste----------------

"The De-Militarized Zone is in this case 1-to-1 NATed and requires you to do some IP aliasing on your firewall, i.e., you must make the box recognize packets for more than one IP. There are several ways to get this to work, one is to set 1-to-1 NAT, another one if you have a whole subnet is to create a subnetwork, giving the firewall one IP both internally and externally. You could then set the IP's to the DMZed boxes as you wish. Do note that this will "steal" two IP's for you, one for the broadcast address and one for the network address. This is pretty much up to you to decide and to implement."

----------end paste---------

Ok, if you are sure that your cable modem forward 80 port to local network, lets go farther.
So request reaches eth0=190.xxx.xxx.89:80, and according to your PREROUTER rule:
PREROUTING -d 190.xxx.xxx.89/32 -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.222.22
But to what port? How knows where this packet will be sent to? Check me, please.
I suggest to change that rule to:
PREROUTING -i eth0 -d 190.xxx.xxx.89/32 -p tcp --dport 80 -j DNAT --to-destination 192.168.222.22:80


And packet goes to FORWARD chain to 192.168.222.22 = eth2
Forward chain was made only for forward rules - and not for filter them.
So, assuming that from ALL incoming traffic to eth0 ONLY port 80 will be redirected to eth2, you need:
-A FORWARD -i eth0 -o eth2 -j ACCEPT
This rule should the first in the forward rules chain

And packet now should enter OUTPUT chain. As long as your default rule
:OUTPUT DROP - nothing pass that chain. You need a rule that will allow packets go out to 192.168.222.22:80=eth2.
-A OUTPUT -s 190.xxx.xxx.89/32 -j ACCEPT or -A OUTPUT --dst 192.168.222.22 -p tcp --dport 80 -j ACCEPT
VERY IMPORTANT - that rule should be FIRST in OUTPUT chain. That is why I asked you to post "iptables-save", because you can see the sequence of rules.

Check everything.

Thanks nimnull22

I seem that you got the machine on point of aproximation :)

Now I'm not close to server, but later on night I'll check this...
Regards

nimnull22, I'm sorry... I did all the changes, but neither works... :(
In text O.Andreasson pasted above this, he talks about NAT 1:1...
How to do it? Think you that something like this can it works?

Thanks very much for your support and patience