Some day ago, a friend post one problem for mi. whist this texts: I have a server whit 2 interfaces of network, where eth0 is the interfaces connetc to internet and eth1 to the internal network. This server hace a Squid only, but i setting the iptables for protection to the server. Iptables run from script and in this script i setting the redirection for the other server in my internal network to port 80 and 443. I follow the diferent how to and many manual, but the redirect no work, the NAT POSTROUTING work and the squid work to. My DNS is Ok, because the consult whit dig command the answer is the assigned ip. Here put the copy of my script: I was do all instruccion for that problem but I have the same problem, te server dont redirect to webserver for ports 80 and 443 all the rest services are ok only that services have problems, thanks for all now my /etc/sysconfig/iptables is this: # Firewall configuration written by redhat-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] #-A INPUT -j RH-Firewall-1-INPUT #-A FORWARD -j RH-Firewall-1-INPUT #-A RH-Firewall-1-INPUT -i lo -j ACCEPT #-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT #-A RH-Firewall-1-INPUT -p 50 -j ACCEPT #-A RH-Firewall-1-INPUT -p 51 -j ACCEPT #-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT #-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited #todo al localhost y a infocom -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -s rango_ip -d 0/0 -p all -j ACCEPT -A INPUT -i eth1 -s 172.16.0.0/24 -d 172.16.0.1/32 -p all -j ACCEPT #negamos el ping -A INPUT -i eth0 -p ICMP --icmp-type echo-request -j DROP -A INPUT -i eth1 -p ICMP --icmp-type echo-request -j DROP ## SALIDA SMTP - Para que el servidor se pueda conectar a otros MTA # Permitir salida SMTP -A INPUT -p tcp -m tcp --sport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT ## DNS Completo. ACEPTADO. -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT ## SQUID -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT ## FORWARD -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 80 -j ACCEPT -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 443 -j ACCEPT -A FORWARD -i eth1 -p tcp -d 172.16.0.3/32 --dport 80 -j ACCEPT -A FORWARD -i eth1 -p tcp -d 172.16.0.3/32 --dport 443 -j ACCEPT -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 53 -j ACCEPT -A FORWARD -i eth1 -p udp -s 172.16.0.0/24 --dport 53 -j ACCEPT ##OUTPUT -A OUTPUT -o eth1 -p tcp --dport 80 -j ACCEPT -A OUTPUT -o eth1 -p tcp --dport 443 -j ACCEPT -A OUTPUT -o eth1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o eth1 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] ##NAT e intranet des de el portal -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.16.0.3:80 -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 172.16.0.3:443 -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -A POSTROUTING -s 172.16.0.6/32 -o eth0 -j MASQUERADE -A POSTROUTING -s 172.16.0.10/32 -o eth0 -j MASQUERADE -A POSTROUTING -s 172.16.0.9/32 -o eth0 -j MASQUERADE -A POSTROUTING -s 172.16.0.138/32 -o eth0 -j MASQUERADE COMMIT -------------------------------------------------------------- my /etc/sysconfig/iptables- # Additional iptables modules (nat helper) # Default: -empty- IPTABLES_MODULES="ip_nat_ftp" # Save current firewall rules on stop. # Value: yes|no, default: no #IPTABLES_SAVE_ON_STOP="no" # Save current firewall rules on restart. # Value: yes|no, default: no #IPTABLES_SAVE_ON_RESTART="no" # Save (and restore) rule counter. # Value: yes|no, default: no #IPTABLES_SAVE_COUNTER="no" # Numeric status output # Value: yes|no, default: no #IPTABLES_STATUS_NUMERIC="no" ----------------------------------------- the command iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- 200.55.135.8/29 anywhere ACCEPT all -- 172.16.0.0/24 valinor.mincex.org DROP icmp -- anywhere anywhere icmp echo-request DROP icmp -- anywhere anywhere icmp echo-request ACCEPT tcp -- anywhere anywhere tcp spt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:squid Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 172.16.0.0/24 anywhere tcp dpt:http ACCEPT tcp -- 172.16.0.0/24 anywhere tcp dpt:https ACCEPT tcp -- anywhere armagedon.mincex.orgtcp dpt:http ACCEPT tcp -- anywhere armagedon.mincex.orgtcp dpt:https ACCEPT tcp -- 172.16.0.0/24 anywhere tcp dpt:domain ACCEPT udp -- 172.16.0.0/24 anywhere udp dpt:domain Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:https Chain RH-Firewall-1-INPUT (0 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited -------------------------------------------------------- and the command iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:http to:172.16.0.3:80 DNAT tcp -- anywhere anywhere tcp dpt:https to:172.16.0.3:443 ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:https Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- ariadne.mincex.org anywhere MASQUERADE all -- 172.16.0.10 anywhere MASQUERADE all -- 172.16.0.9 anywhere MASQUERADE all -- maprinter.mincex.org anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ______________________________________________ Renovamos el Correo Yahoo! Nuevos servicios, más seguridad http://correo.yahoo.es