I'm hoping there's something obvious I've missed here. I have NAT rules set up to forward a few different ports to an internal machine. When a request comes in from the internet, everything works as planned.
However, if I hit my external IP from inside the network with the same port, the request terminates at the firewall machine instead of being forwarded to the right place.
Is there something obvious that I'm doing wrong? The generated iptables rules are below.
# Generated by iptables-save v1.4.4 on Wed Sep 7 20:36:37 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Cid4488E49C.0 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.11/32 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -s XXX.XXX.XXX.XXX/32 -m state --state NEW -j ACCEPT
-A INPUT -s 10.0.0.1/32 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 5050,22,5900 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 67 -m state --state NEW -j ACCEPT
-A INPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.0.0.11/32 -p tcp -m tcp --dport 5900 -m state --state NEW -j ACCEPT
-A FORWARD -d 10.0.0.10/32 -p tcp -m tcp --dport 5050 -m state --state NEW -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -m state --state NEW -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.0.0.11/32 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp -m multiport --dports 5050,22,5900 -m state --state NEW -j Cid4488E49C.0
-A OUTPUT -p udp -m udp --dport 67 -m state --state NEW -j Cid4488E49C.0
-A OUTPUT -d 10.0.0.11/32 -p tcp -m tcp --dport 5900 -m state --state NEW -j ACCEPT
-A OUTPUT -d 10.0.0.10/32 -p tcp -m tcp --dport 5050 -m state --state NEW -j ACCEPT
-A OUTPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT
-A OUTPUT -j DROP
-A Cid4488E49C.0 -d XXX.XXX.XXX.XXX/32 -j ACCEPT
-A Cid4488E49C.0 -d 10.0.0.1/32 -j ACCEPT
COMMIT
# Completed on Wed Sep 7 20:36:37 2011
# Generated by iptables-save v1.4.4 on Wed Sep 7 20:36:37 2011
*nat
:PREROUTING ACCEPT [114:15633]
:POSTROUTING ACCEPT [1:48]
:OUTPUT ACCEPT [1:48]
-A PREROUTING -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5050 -j DNAT --to-destination 10.0.0.10:5050
-A PREROUTING -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.11:5900
-A POSTROUTING -s 10.0.0.0/24 -o eth1 -j MASQUERADE
-A OUTPUT -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5050 -j DNAT --to-destination 10.0.0.10:5050
-A OUTPUT -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.11:5900
COMMIT
# Completed on Wed Sep 7 20:36:37 2011
If you are connecting to the 10.0.0.10 server from another machine on the 10.0.0.0/24 network there could be a problem with the way packets are routed. For example, if your source is 10.0.0.99 and you connect to 10.0.0.10 via the public IP address, the response packets from the 10.0.0.10 server will be sent directly to 10.0.0.99 which will drop them since it doesn't have a half-open connection with 10.0.0.10 (the half-open connection is with the public IP).
One possible solution is double NAT. Here's an example:
http://www.fwbuilder.org/4.0/docs/users_guide5/double_nat.html
Btw, a better place to get fwbuilder support is from either the fwbuilder mailing list or discussion forum on SF.
http://sourceforge.net/projects/fwbuilder/forums/forum/16372
https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion
If it's open to the world and you can access the server via it's internal IP then I see no problem. If you really want to access it from the external IP internally then I would ask to see a copy of the error log or access log on the NAT. Are you also perhaps behind a proxy or second IP where your quote external endquote iP is different than that of the NAT? Hopefully we can solve this.