Simeon Johnston wrote: > Phil Mendelsohn wrote: > > > > You may also need to make sure your forward (and output) rules allow > > > traffic to the web server. > > > > Right now output is set for -P ACCEPT. For the forward rules to allow web > > traffic, would I want -j MASQ or -j ACCEPT? from everywhere on port > > 80? It's a little unclear where the forward rules end and the portfw > > takes over. > > Sample forwarding rule. ipmasqadm handles the portfw command and is a > seperate application from ipchains. > /usr/sbin/ipmasqadm portfw -a -P tcp -L RealIPofFirewall 80 -R InternalIP 80 > > You have to masq all outgoing traffic from internal hosts. > ipchains -A forward -i exernaldevice -s internalnetwork -d 0.0.0.0/0 -j MASQ Sorry, forgot about accepting incoming port 80 to the firewall ipchains -A input -i externaldevice -p tcp -s 0.0.0.0/0 -d RealIPofFirewall 80 -j ACCEPT > Since output is set to accept everything than that shouldn't be a problem. > > > > Finally, if you don't already have it, you'll also need a port forward > > > command (ipmasqadm portfw) to forward traffic from port 80 on the > > > external I/F of the firewall to port 80 on the internal web server. > > > > > > Hope that helps, > > > > Quite a bit -- what's not clear is where does the port forwarding take > > place in the IPchain. Or does it happen outside, and if so, when / > > how. I think it's not as much like an audio/video patch panel as they > > lead one to believe, or am I just a little lost in the woods? > > Also need a kernel patch unless your using 2.2.18-2.2.19 ( may be in 2.2.17 > but I can't remember). You'll need to get the application ipmasqadm. > It's probably already there depending on how recent and what distro you use. > > HTH, > sim > > _______________________________________________ > tclug-list mailing list > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list