[Firehol-support] Problem with two interface firewall with web servers behind NAT

Phil Whineray phil at firehol.org
Tue Mar 22 06:56:48 GMT 2016

Hi Kenny

On Tue, Mar 22, 2016 at 07:40:44AM +0100, Kenny Colliander Nordin wrote:
> Setup:
> eth0 = Internet
> eth1 = LAN with network
> = Web server
> I want all incoming eth0 traffic on port 80 and 443 to be forwarded to the
> web server at with the correlating port numbers.

Seems reasonable

> version 5
> dnat to inface eth0 proto tcp dport 80
> dnat to inface eth0 proto tcp dport 443
> interface eth1 lan src ""
>     policy accept
> interface eth0 internet
>     server http accept
>     server https accept
>     client all accept
> router internet2web inface eth0
>    server http accept dst
>    server https accept dst
>    client all accept
>    route all accept
> router lan2internet inface eth1 outface eth0
>     masquerade
>     client all accept
>     route all accept

OK, so you shouldn't need the server statements on the interface
since you are using dnat to ensure such traffic will be routed
instead - go ahead and remove those.

Likewise the "client all accept" and  "route all accept" should
not be needed in internet2web to achieve what you are talking about.
The "client all accept" in lan2internet will also try to permit
all traffic from outside onto the LAN. I suggest removing all of
these now - I guess you added them to try to get things to work.

The remaining commands look OK, frankly. You need to initiate a
connection with the firewall started and capture the logs [1].
If you are struggling to see what is wrong, show them here and
we can help.


[1] http://firehol.org/guides/firehol-troubleshooting/

More information about the Firehol-support mailing list