Re: INPUT chain doesen´t receive packets

["curby ." <curby.public@gmail.com>]

On 9/7/05, Carsten Rachfahl <cr@raut.de> wrote:
> I have problems with iptables and iproute2. In my scenario I want to use a host with a dsl connection on eth0 and a lan connection eth1 for policy based routing. I want to route http traffic generated by the host itself over eth0 and the rest over eth1. To solve the problem I 

Hopefully your situation is simple enough that you don't need to do
special routing.  Can you try to restate what you want to happen to
web traffic going through your firewall?  Does the LAN have access to
the Internet besides the DSL connection?  If not, it might be as
simple as using NAT, and leaving iproute2/ip alone.  Assuming the
firewall machine is routing for the LAN, and its DSL connection on
eth0 is the only way to the Internet, it sounds like you want to use
SNAT/masquerading to let LAN clients out onto the web, and stateful
rules to let replies back in.

If you have your own web server on the LAN and not on the same machine
as the firewall, you'll want to look for packets in the FORWARD chain,
not the INPUT chain.  You might also want to use DNAT to allow the
Internet to access the internal server, and stateful rules to let
replies back out.

I wasn't able to glean what your goals and network configuration is
though, so these suggstions may be way off.

--Curby