Firewall and Webserver

I'm having an interesting problem between my firewall and webserver
right now and I'm hoping some one can explain the reason for why it's
happening.

Both my firewall and webserver are currently connected directly to the
internet as well as an internal network. I want to do some testing with
my firewall before putting it between my webserver and the internet. I
set up iptables to foward all www packets to my webserver's internal IP
192.168.0.1. So, from the internet I should be able to connect to my
webserver using either my webserver's IP or my firewall's IP. For some
reason I can't connect to it via my firewall. However, if I bring down
eth0, my external network card on the webserver, so that it's only
connected to the internal network, I can suddenly access my webserver
via the firewall. Can anyone explain why this might be happening?

I have one other similar, but perhaps unrelated, problem with my
firewall. When I set my firewall to forward SSH packets to a machine on
my internal network I have no problems SSHing through my firewall to
that machine from another machine, either internal or external. But when
I try SSHing from that machine (the machine which SSH is being forwarded
to) to the firewall, it fails. In essence what I'm trying to do is SSH
to myself, with the firewall in the middle. Can anyone explain this
problem to me?

Thanks,
Scott

Scott Hadfield wrote:

> I'm having an interesting problem between my firewall and webserver
> right now and I'm hoping some one can explain the reason for why it's
> happening.
>
> Both my firewall and webserver are currently connected directly to the
> internet as well as an internal network. I want to do some testing with
> my firewall before putting it between my webserver and the internet. I
> set up iptables to foward all www packets to my webserver's internal IP
> 192.168.0.1. So, from the internet I should be able to connect to my
> webserver using either my webserver's IP or my firewall's IP. For some
> reason I can't connect to it via my firewall. However, if I bring down
> eth0, my external network card on the webserver, so that it's only
> connected to the internal network, I can suddenly access my webserver
> via the firewall. Can anyone explain why this might be happening?

Investigate.

Scrutinise the firewall logs; if these are not helpful then add MARK and LOG
rules to the relevant chains.

Read the webserver logs carefully - do the requests even get there, or is it
the firewall that stops them ?

It does not appear to be the firewall, since you say it works when you
disconnect the webserver from the Internet.

Do you use apache ? If so, read the documentation on Listen and Bind
directives - twice.

Do you use virtual servers ? Same as above, but read them three times...

You give next to no actual information, without which it is very hard to
offer more relevant help in your situation.

It is by no means an uncommon situation, but it is always *unique*.
People tend to forget that.

Plus, you can configure iptables in more ways than there are stars in the
sky - don't expect us to know which method you used...

> I have one other similar, but perhaps unrelated, problem with my
> firewall. When I set my firewall to forward SSH packets to a machine on
> my internal network I have no problems SSHing through my firewall to
> that machine from another machine, either internal or external.

Which are not at all the same: one goes though the firewall, the other
doesn't.
Take care of not thinking your firewall controls everything - it doesn't.

> But when
> I try SSHing from that machine (the machine which SSH is being forwarded
> to) to the firewall, it fails. In essence what I'm trying to do is SSH
> to myself, with the firewall in the middle. Can anyone explain this
> problem to me?

Not really, it would be nice if you could explain the problem ;-)

And post *data*, not what you think is the problem!

--
Jeroen Geilman

Gentoo 1.4 rc4