help with LAN to DMZ Forward rules

help with LAN to DMZ Forward rules

[jr]

[-- Attachment #1: Type: text/plain, Size: 1506 bytes --]

I'd like to request help with an iptables ruleset. There are 3 adapters on my Redhat 7.3, running iptables 1.2.8. EXTIF faces the Internet, and DMZ_IF and LAN_IF use reserved addresses in distinct subnets.

So far I've had success configuring it so the firewall allows access to the DMZ from the Internet, while only ESTABLISHED or RELATED packets are forwarded back into the LAN. That's the only FORWARDing happening on the firewall at this point.

What's got me stumped is how to FORWARD packets from the LAN to the DMZ.

There are a number of tutorials on the Internet that suggest the following code is the best way to achieve this:


# This one allows traffic from the DMZ to the LAN if it originated in the LAN:

$IPTABLES -A FORWARD -i $DMZ_IF -o $LAN_IF -m state --state ESTABLISHED,RELATED -j ACCEPT


# And this one is supposed to allow hosts within the LAN to initiate an HTTP session with the webserver in the DMZ:

$IPTABLES -A FORWARD -i $LAN_IF -o $DMZ_IF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


The webserver in the DMZ is definitely working, and can be reached from the Internet. The tutorials point out that INPUT and OUTPUT rules would not affect what I'm trying to do here. My browser times out when I try to access the DMZ webserver from the LAN. There is an entry in the LAN computer's 'hosts' file for the webserver; typing the ip address of the DMZ webserver into the address bar of the browser also results in a times out.

Thank you very much for your help.

Jamie