Thanks for taking the time to help peter_robb, it's really appreciated. This is what I've got now:
echo " Accept all connections in and out"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Routing internet address to intranet address for CDMO"
# the next block was added when making the CDMO non-proxied
$IPTABLES -t nat -A PREROUTING -i $INTIF -d 12.170.16.134 -j DNAT --to-destination 192.168.0.134
$IPTABLES -t nat -A PREROUTING -i $EXTIF -d 12.170.16.134 -j DNAT --to-destination 192.168.0.134
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -d 192.168.0.134 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -d 192.168.0.134 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $INTIF -d 192.168.0.134 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
echo " Spoofing intranet address to internet address..."
#now spoof our intranet IP to our internet IP if we're leaving our intranet
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.134 -j SNAT --to-source 12.170.16.134
echo " Enabling NPAT (MASQUERADE) functionality both internal and external"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
Now the outside world can see www.nerrenvirons.org (registered to 12.170.16.134 and actually hosted on 192.168.0.134) just fine, but nobody INSIDE my LAN can. I don't know if this is a firewall issue, or some DNS issue.
From inside my LAN I get these results from dig:
[root@grampus root]# dig www.nerrenvirons.org
; <<>> DiG 9.2.1 <<>> www.nerrenvirons.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47687
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.nerrenvirons.org. IN A
;; Query time: 109 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 22 17:07:36 2003
;; MSG SIZE rcvd: 38
However from the computer where everything actually resides (192.168.0.134) I get this:
root@CDMO-blowfish root]# dig www.nerrenvirons.org
; <<>> DiG 9.2.1 <<>> www.nerrenvirons.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63966
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.nerrenvirons.org. IN A
;; ANSWER SECTION:
www.nerrenvirons.org. 10800 IN CNAME ns3.nerrenvirons.org.
ns3.nerrenvirons.org. 10800 IN A 12.170.16.134
;; AUTHORITY SECTION:
nerrenvirons.org. 10800 IN NS ns3.nerrenvirons.org.
;; Query time: 2 msec
;; SERVER: 192.168.0.134#53(192.168.0.134)
;; WHEN: Mon Sep 22 17:06:50 2003
;; MSG SIZE rcvd: 86
I can http to www.nerrenvirons.org from the actual system no problem, which is really weird. That made me think there's some recursion problem at work, so I tried the following from my gateway (12.170.16.134) (inside my LAN but not on actual system serving the webpages):
[root@grampus root]# dig +trace www.nerrenvirons.org
; <<>> DiG 9.2.1 <<>> +trace www.nerrenvirons.org
;; global options: printcmd
. 509244 IN NS F.ROOT-SERVERS.NET.
. 509244 IN NS G.ROOT-SERVERS.NET.
. 509244 IN NS H.ROOT-SERVERS.NET.
. 509244 IN NS I.ROOT-SERVERS.NET.
. 509244 IN NS J.ROOT-SERVERS.NET.
. 509244 IN NS K.ROOT-SERVERS.NET.
. 509244 IN NS L.ROOT-SERVERS.NET.
. 509244 IN NS M.ROOT-SERVERS.NET.
. 509244 IN NS A.ROOT-SERVERS.NET.
. 509244 IN NS B.ROOT-SERVERS.NET.
. 509244 IN NS C.ROOT-SERVERS.NET.
. 509244 IN NS D.ROOT-SERVERS.NET.
. 509244 IN NS E.ROOT-SERVERS.NET.
;; Received 244 bytes from 127.0.0.1#53(127.0.0.1) in 75 ms
org. 172800 IN NS TLD1.ULTRADNS.NET.
org. 172800 IN NS TLD2.ULTRADNS.NET.
;; Received 120 bytes from 192.5.5.241#53(F.ROOT-SERVERS.NET) in 97 ms
nerrenvirons.org. 86400 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 86400 IN NS ns2.marisys.net.
;; Received 101 bytes from 204.74.112.1#53(TLD1.ULTRADNS.NET) in 55 ms
nerrenvirons.org. 77257 IN NS ns2.marisys.net.
nerrenvirons.org. 77257 IN NS ns3.nerrenvirons.org.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 13 ms
nerrenvirons.org. 77257 IN NS ns2.marisys.net.
nerrenvirons.org. 77257 IN NS ns3.nerrenvirons.org.
;; Received 101 bytes from 12.170.16.131#53(ns2.marisys.net) in 14 ms
nerrenvirons.org. 77257 IN NS ns2.marisys.net.
nerrenvirons.org. 77257 IN NS ns3.nerrenvirons.org.
;; Received 101 bytes from 12.170.16.131#53(ns2.marisys.net) in 13 ms
nerrenvirons.org. 77257 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77257 IN NS ns2.marisys.net.
;; Received 101 bytes from 12.170.16.131#53(ns2.marisys.net) in 12 ms
nerrenvirons.org. 77257 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77257 IN NS ns2.marisys.net.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 13 ms
nerrenvirons.org. 77257 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77257 IN NS ns2.marisys.net.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 18 ms
nerrenvirons.org. 77257 IN NS ns2.marisys.net.
nerrenvirons.org. 77257 IN NS ns3.nerrenvirons.org.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 13 ms
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
;; Received 101 bytes from 12.170.16.131#53(ns2.marisys.net) in 13 ms
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 13 ms
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
;; Received 101 bytes from 12.170.16.131#53(ns2.marisys.net) in 13 ms
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
;; Received 101 bytes from 12.170.16.131#53(ns2.marisys.net) in 13 ms
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 12 ms
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
;; Received 101 bytes from 12.170.16.131#53(ns2.marisys.net) in 11 ms
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
;; Received 101 bytes from 12.170.16.131#53(ns2.marisys.net) in 28 ms
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
;; Received 101 bytes from 12.170.16.131#53(ns2.marisys.net) in 11 ms
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
;; Received 101 bytes from 12.170.16.131#53(ns2.marisys.net) in 11 ms
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 12 ms
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 12 ms
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
;; Received 101 bytes from 12.170.16.131#53(ns2.marisys.net) in 14 ms
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 13 ms
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
;; Received 101 bytes from 12.170.16.131#53(ns2.marisys.net) in 13 ms
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 15 ms
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 14 ms
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
;; Received 101 bytes from 12.170.16.131#53(ns2.marisys.net) in 15 ms
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 19 ms
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 13 ms
nerrenvirons.org. 77256 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77256 IN NS ns2.marisys.net.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 13 ms
nerrenvirons.org. 77255 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77255 IN NS ns2.marisys.net.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 13 ms
nerrenvirons.org. 77255 IN NS ns2.marisys.net.
nerrenvirons.org. 77255 IN NS ns3.nerrenvirons.org.
;; Received 101 bytes from 12.170.16.134#53(ns3.nerrenvirons.org) in 20 ms
nerrenvirons.org. 77255 IN NS ns2.marisys.net.
nerrenvirons.org. 77255 IN NS ns3.nerrenvirons.org.
dig: Too many lookups
[root@grampus root]# dig +norecursion www.nerrenvirons.org
; <<>> DiG 9.2.1 <<>> +norecursion www.nerrenvirons.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17088
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;www.nerrenvirons.org. IN A
;; AUTHORITY SECTION:
nerrenvirons.org. 77246 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 77246 IN NS ns2.marisys.net.
;; ADDITIONAL SECTION:
ns2.marisys.net. 10800 IN A 12.170.16.131
;; Query time: 26 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 22 17:12:02 2003
;; MSG SIZE rcvd: 101
Does that mean I've got a loop somewhere?