locally access server behind firewall

John A. Sullivan III john.sullivan at nexusmgmt.com
Wed Sep 1 20:05:03 CEST 2004

On Wed, 2004-09-01 at 13:53, Tom wrote:
> Hi,
> I have a linux firewall (iptables), and a linux server with apache 
> behind that firewall. My provider blocks ports below 1024, so I have a 
> prerouting-rule that redirects traffic like this:
> $IPTABLES -A PREROUTING -t nat -i $WWW p tcp -d $EXTIP --dport 8888 -j 
> DNAT --to $SERVER:80
> I also have 2 forward-rules:
> $IPTABLES -A FORWARD -i $WWW -o $LAN -p tcp --dport 80 -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN -o $WWW -p tcp --sport 80 -j ACCEPT
> and I have these two lines to allow my local pc's to connect to the 
> firewall with ssh and stuff like that:
> where:
>   $EXTIP = my external IP address
>   $WWW is eth1
>   $LAN is eth0
>   $SERVER = my server's internal IP address.
>   $INTLAN = ""
> This works really well when I try to connect from the outside to my 
> webserver. But, if I try to connect to http://myserver.com:8888 from the 
> internal network (or from my server itself), I always get 'connection 
> refused'. I'm pretty sure I need some other rules, but can someone 
> please help me in the good direction here? Thanks a lot!!
> PS: Here's a little drawing of the situation:
> SERVER (eth0) <----> (eth0) GATEWAY-PC (eth1) <----> internet
If I understand you correctly, you are trying to connect to the web
server on the internal network from devices on the internal network. 
That means the packets never pass through the firewall.  In that case,
no additional rules will help you.

You could force the traffic to pass through the firewall by placing the
web server on a physical DMZ (highly preferable if this web server
allows public access as it appears to - if someone cracks it, they will
be on your internal network) or on a logical DMZ.  To create a logical
DMZ, simply bind a second address for a separate subnet to the internal
interface of the firewall and change the web server internal address to
an address on that new subnet.

However, I would think the easiest thing to do is configure Apache to
answer on port 8888.  Hope this helps - John
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan at nexusmgmt.com
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit

More information about the netfilter mailing list