On Friday 15 Jul 2005 13:40, askar k wrote: > On 7/15/05, TreeBoy <[EMAIL PROTECTED]> wrote: > > I am now getting really confused. > > > > You have three machines in the subnet 192.168.0.0/24 > > > > They are: > > > > IP FQDN Description > > 1 ??? Linux Firewall/Gateway > > 100 www.mydomain.com Linux webserver running apache > > ? ??? XP box > > > > You are trying to browse http on www.mydomain.com. > > > > You have DNS working on all machines. i.e. running "host > > www.mydomain.com" (or ping on XP) on each computer gives the correct IP > > address of 192.168.0.100. > > No, when I do "host www.mydomain.com" it gives me static ip address > 213.xxx.xxx.xxx
Right. I trust that this IP address is the public IP address of your firewall. I presume that you have also configured your firewall as described here: http://shorewall.net/two-interface.htm If these two statements are true, then are you sure that your ISP does not block port 80. Check this by looking at what is being blocked in your logs. You should be able to see your attempts being blocked or dropped by issuing the following command on the firewall: # tail -f /var/log/syslog If not, then shorewall is not blocking. Try issuing the same command on your webserver while trying to browse to it and you may see it is blocking or dropping. If none of these add any info, then issue the following command on your firewall: # iptables -L|more This shows what your firewall is actually setup to do with any packets. Look for the section labelled "Chain net2loc". This is where the DNAT forwarders should be listed. The first entry in this section should be: ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED This means any connection in-bound that is associated with an already established outbound connect should be allowed. (This is for non-passive FTP amongst others.) The last item should be: net2all all -- anywhere anywhere This says that anything not already covered in this section gets passed on to the chain called "net2all" which usually says "DROP". The ones in between are where your specific forwarding/DNAT stuff should go. You should see something like: ACCEPT tcp -- anywhere webserver.mynetwork.foo tcp dpt:80 If thats not there, then forwarding is not happening. We'll have to look at your config if these lines do not appear. > > > Finally: Please reply to the list - not to me personally. These lists > > offer others the ability to learn and to add input. > > I didn't know that messages went to you - I was just clicking reply button. > Maybe somth wrong with your mail client settings. Please check. > To the field "TO" I manually changed email address this time. In your client, you have to specify "Reply to List", not just "Reply". I know that exists somewhere in GMail. Cheers, > > askar -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
