On Wed, 6 Jun 2001, Simeon Johnston wrote: > Simeon Johnston wrote: > > > Phil Mendelsohn wrote: > > > > > > You may also need to make sure your forward (and output) rules allow > > > > traffic to the web server. > > > > > > Right now output is set for -P ACCEPT. For the forward rules to allow web > > > traffic, would I want -j MASQ or -j ACCEPT? from everywhere on port > > > 80? It's a little unclear where the forward rules end and the portfw > > > takes over. > > > > Sample forwarding rule. ipmasqadm handles the portfw command and is a > > seperate application from ipchains. > > /usr/sbin/ipmasqadm portfw -a -P tcp -L RealIPofFirewall 80 -R InternalIP 80 OK -- done and done. (First thing I tried, and yes I know about deleting / flushing the chains / portfws). > > You have to masq all outgoing traffic from internal hosts. > > ipchains -A forward -i exernaldevice -s internalnetwork -d 0.0.0.0/0 -j MASQ > > Sorry, forgot about accepting incoming port 80 to the firewall > ipchains -A input -i externaldevice -p tcp -s 0.0.0.0/0 -d RealIPofFirewall 80 > -j ACCEPT Did that, doesn't help. Isn't that covered by input chain policy ACCEPT? > > Since output is set to accept everything than that shouldn't be a problem. > > Also need a kernel patch unless your using 2.2.18-2.2.19 ( may be in 2.2.17 > > but I can't remember). You'll need to get the application ipmasqadm. > > It's probably already there depending on how recent and what distro you use. I am using 2.2.18 CoyoteLinux with ipmasqadm already. I'm starting to go a little nuts here, becuase I seem to be doing everything right. And it ain't the machine, because I'm reading and writing these emails through it! Thanks for your help guys. I'm going to flush it out and start from scratch, but it's one lousy rule and one portfw! (Could it be the -y option or the TOS args? Should I tell forward to -t 0x01 0x10? -- "To misattribute a quote is unforgivable." --Anonymous