From: "Darrell Dieringer" <netfilter@darrelldieringer.com>
To: "Keith R. Weiner" <keith@valiant.com>, netfilter@lists.netfilter.org
Subject: RE: netfilter and IIS5
Date: Mon, 7 Oct 2002 14:41:34 -0500 [thread overview]
Message-ID: <IMEDICLPAGAOCBLCCKLPKEGPECAA.netfilter@darrelldieringer.com> (raw)
In-Reply-To: <AF435BB1224A4C4888B58C546728EE3229AA@s2.valiant.com>
Awhile ago I was dealing with what amounted to be an IIS issue.
First, are you doing any NAT? Specifically, are you NAT-ing any
ports?
In my network setup (cable ISP, single real IP address, LAN plus
separate DMZ - all NAT-ed to the Internet with some services being
forwared to the DMZ), where my ISP blocked incomming port 80 requests
somewhere upstream from me, I had the following problem:
If I forwarded w.x.y.z:3080 to dmz.a:80 (where IIS was listening), the
first thing IIS did was issue a redirect. Check your IIS logs for
HTTP code 302 (IIRC) - redirect - that tells the requesting client
"Reach me on port 80 instead". Since my port 80 was blocked upstream
by the ISP, the new request from the client never got to me.
But it worked fine inside my LAN since I didn't block port 80 to the
DMZ.
Since at the time I was a newbie to netfilter, I naturally assumed it
was a problem with my rules / setup. Instead, it was a feature of IIS
(in my case IIS 4), combined with my ISP blocking port 80.
I changed IIS4 to listen on 3080 and changed my NAT to forward
w.x.y.z:3080 -> dmz.a:3080. IIS no longer issued the redirect to the
blocked port, and everything worked fine.
This may not be your situation, but lacking most specifics about your
network, I'm taking a guess. Hope it helps.
Darrell
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of
> Keith R. Weiner
> Sent: Monday, October 07, 2002 11:21 AM
> To: netfilter@lists.netfilter.org
> Subject: netfilter and IIS5
>
>
> Excuse me if this is a newbie question.
>
> I am running IIS on Windows 2000 behind the DMZ. The first
> linux box is using the old ipchains. The second box is
> using netfilter. From within the DMZ, I can access it.
> From the outside world, it is not accessible. Other
> services are, but not IIS.
>
> Any help would be greatly appreciated. Thanks.
>
>
next prev parent reply other threads:[~2002-10-07 19:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-07 16:21 netfilter and IIS5 Keith R. Weiner
2002-10-07 19:13 ` Antony Stone
2002-10-07 19:41 ` Darrell Dieringer [this message]
-- strict thread matches above, loose matches on Subject: below --
2002-10-07 19:46 Keith R. Weiner
[not found] <AF435BB1224A4C4888B58C546728EE322FF3@s2.valiant.com>
2002-10-07 19:48 ` Antony Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=IMEDICLPAGAOCBLCCKLPKEGPECAA.netfilter@darrelldieringer.com \
--to=netfilter@darrelldieringer.com \
--cc=keith@valiant.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox