My idea: connection coming from inside network to the firewall going to
the web server are not considered by the rules
> >>$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \
> >> -s 0/0 --dport http \
> >> -j DNAT --to-destination 192.168.1.2:80
> >>$PROG -t mangle -A FORWARD -i $NIC_EXTERNAL -s 0/0 \
> >> -o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport http \
> >> -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
I would try adding
$PROG -t nat -A PREROUTING -i $NIC_INTERNAL -p tcp \
-s $INTERNAL_NETWORK --dport http -d $EXTERNAL_HTTP_ADDR\
-j DNAT --to-destination 192.168.1.2:80
$PROG -t mangle -A FORWARD -i $NIC_INTERNAL -s $INTERNAL_NETWORK \
-o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport http \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Hope this can help
Marco
