If this is the case the firewall is probably NATing the outgoing traffic as well. In this case the packet will go out of the firewall and back in.
david On 18 Jan 2002, Bret Hughes wrote: > On Fri, 2002-01-18 at 14:50, David Talkington wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > David Talkington wrote: > > > > >Dave Wreski wrote: > > > > > >>> Now, however, the systems behind the firewall can't access the sites > > >>> on the server...ie, workstation at 192.168.0.3 can't access any of the > > >>> sites hosted on 192.168.0.1, because the DNS entries for those sites > > >>> point them back outside the firewall...it would seem that, while the > > >>> outside world can get through the firewall to get the sites, with no > > >>> problem, the machines behind the firewall can't go outside the > > >>> firewall and then back in. > > >> > > >>Sounds like you'll need to create a separate domain to refer to your web > > >>server by the internal hosts, if I understand your problem correctly. > > > > > >Interesting puzzle. That was my thought, too, Dave, but I'm having > > >trouble seeing why there should be a routing problem as it is. The > > >hop will be all the way out (at least) to his ISP's router, but I'm > > >not sure I see why this is causing a problem, except for the obvious > > >performance hit. The NAT setup will just cause the router to think > > >that his client is trying to connect back to port 80 on itself, which > > >it should happily do. > > > > Duh. No, I'm loopy. The packet never leaves the network, because his > > gateway thinks it's a local destination. I see now that the problem > > is that the ruleset for forwarding back to the DNAT'ted server only > > works for connections hitting the external interface. What the OP > > needs, then, is some iptables tweaking to properly forward requests > > from the private net, and then it should work fine without DNS > > hassles. > > > > Yes? Or do I need still more coffee? > > This is exactly what I was thinking. But one can always use more > coffee. > > Mike, Why don't you post your rules so we can look at them and David can > fix them :) > > I saw a reference recently that explained the path through these filters > but can't remember where. > > Bret > > > > > > > _______________________________________________ > Redhat-list mailing list > [EMAIL PROTECTED] > https://listman.redhat.com/mailman/listinfo/redhat-list > _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list