Jason: Wow, impressive ASCII diagrams. I never can get those to come out the way I want. Since you put so much work into your query I thought I'd see if I could help. You say that when you type (on the Win98 client, in a web browser) http://192.168.0.200/ you get the web page. If this is the case, then your Ipchains/iptables/ipfwadm/whatever is set up fine, and the following may help you. You don't say anything in your diagram about DNS, or which machine is your DNS server. The DNS is the way that server names are converted into IP addresses, and vice versa if required. So if you type (on the Win98 client, in a web browser) http://whatever/ and you expect the browser to retrieve a web page, your web browser has to have some way of turning "whatever" into an IP address. The actual TCP/IP connection (called a "socket") is made between IP addresses by the computers. If the socket call is made with names, then the DNS is used to get an IP address from the name. If no IP address is available, the socket will fail to connect. Normally you will have your DNS server specified in the TCP/IP conf- iguration on the Win98 machine. Furthermore, the DNS server that you listed there should have some information about "whatever" in its zone files. Normally you will have a domain, say "something.com" so the FQDN (fully qualified domain name) of your web server might be "whatever.something.com" . Your Win98 machine will know about the something.com domain in its TCP/IP configuration, and the DNS server you are using will have a zone file for something.com and there will be an entry like this in that zonefile: whatever 86400 IN A 192.168.0.200 Thus, when your Win98 machine tries to do a DNS lookup on "whatever" or "whatever.something.com" the DNS server will return the IP address 192.168.0.200. I hope this helps. I didn't do any analysis of your logfiles, configuration files, etc. because you said it worked when you used the IP address... --JimO > Am grateful for any help . . . > I am trying to access my Linux web server from my Win98 client by running > through my Linux firewall (192.168.0.4). However, when I attempt to do so, > I get a "There was no response. The server could be down or not responding" > from the Win98 client. When I enter 192.168.0.200 directly I see the web > page fine. > Here's my physical setup: > ------------------ > | | > | | > | | > | Win98 client | > | | > ------------------ > | > eth0 (192.168.0.101) > Internet here | > (eventually) | > | | > | | > | | > | | > eth1 (192.168.0.4)--------| | > | | | > ------------------ | ------------------ > | | -------| | > | Linux | | | > | | | Hub | > | firewall | | | > | | -------| | > ------------------ | ------------------ > | | | > eth0 (192.168.0.111)------| | > | > | > | > | > | > eth0 (192.168.0.200) > | > ------------------ > | | > | Linux | > | http/smtp | > | server | > | | > ------------------ > ---------------------------------------------------------------------------- > ---------- > Here's my firewall setup: > Flushing existing chains > /sbin/iptables -F INPUT > /sbin/iptables -F OUTPUT > /sbin/iptables -F FORWARD > /sbin/iptables -t nat -F > Setting default policy ACCEPT > /sbin/iptables -P INPUT ACCEPT > /sbin/iptables -P OUTPUT ACCEPT > /sbin/iptables -P FORWARD ACCEPT > Setting up logging > /sbin/iptables -A INPUT --source ! 127.0.0.1 --protocol tcp --source-port ! > telnet --destination-port ! telnet --jump LOG --log-prefix net log entry > /sbin/iptables -A OUTPUT --source ! 127.0.0.1 --protocol tcp --source-port ! > telnet --destination-port ! telnet --jump LOG --log-prefix net log entry > /sbin/iptables -A FORWARD --source ! 127.0.0.1 --protocol tcp --source-port > ! telnet --destination-port ! telnet --jump LOG --log-prefix net log entry > Enable outgoing NAT > /sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.4 > Enable incoming NAT > /sbin/iptables -t nat -A PREROUTING -p TCP -i eth1 -d 192.168.0.4 --dport > 25 -j DNAT --to-destination 192.168.0.200:25 > /sbin/iptables -t nat -A PREROUTING -p TCP -i eth1 -d 192.168.0.4 --dport > 80 -j DNAT --to-destination 192.168.0.200:80 > /sbin/iptables -t nat -A PREROUTING -p TCP -i eth1 -d 192.168.0.4 --dport > 110 -j DNAT --to-destination 192.168.0.200:110 > Done. > Chain INPUT (policy ACCEPT 1 packets, 40 bytes) > pkts bytes target prot opt in out source > destination > 0 0 LOG tcp -- * * !127.0.0.1 > 0.0.0.0/0 tcp spt:!23 dpt:!23 LOG flags 0 level 4 prefix `net log > entry ' > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 LOG tcp -- * * !127.0.0.1 > 0.0.0.0/0 tcp spt:!23 dpt:!23 LOG flags 0 level 4 prefix `net log > entry ' > Chain OUTPUT (policy ACCEPT 1 packets, 861 bytes) > pkts bytes target prot opt in out source > destination > 0 0 LOG tcp -- * * !127.0.0.1 > 0.0.0.0/0 tcp spt:!23 dpt:!23 LOG flags 0 level 4 prefix `net log > entry ' > Chain PREROUTING (policy ACCEPT 36 packets, 2256 bytes) > pkts bytes target prot opt in out source > destination > 0 0 DNAT tcp -- eth1 * 0.0.0.0/0 > 192.168.0.4 tcp dpt:25 to:192.168.0.200:25 > 0 0 DNAT tcp -- eth1 * 0.0.0.0/0 > 192.168.0.4 tcp dpt:80 to:192.168.0.200:80 > 0 0 DNAT tcp -- eth1 * 0.0.0.0/0 > 192.168.0.4 tcp dpt:110 to:192.168.0.200:110 > Chain POSTROUTING (policy ACCEPT 19 packets, 1064 bytes) > pkts bytes target prot opt in out source > destination > 0 0 SNAT all -- * eth1 0.0.0.0/0 > 0.0.0.0/0 to:192.168.0.4 > Chain OUTPUT (policy ACCEPT 10 packets, 632 bytes) > pkts bytes target prot opt in out source > destination > --------------------------------------------------------------------------- > After trying to access web server through firewall: > --------------------------------------------------------------------------- > root@julia /home/generic $ tail /var/log/messages > Oct 16 04:29:34 julia kernel: net log entry IN=eth0 OUT= > MAC=00:04:5a:55:87:e7:00:a0:cc:7c:11:05:08:00 SRC=192.168.0.101 > DST=192.168.0.4 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=32017 DF PROTO=TCP > SPT=1382 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 > Oct 16 04:29:34 julia kernel: net log entry IN= OUT=eth0 SRC=192.168.0.4 > DST=192.168.0.101 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=80 > DPT=1382 WINDOW=0 RES=0x00 ACK RST URGP=0 > Oct 16 04:29:35 julia kernel: net log entry IN=eth1 OUT=eth0 > SRC=192.168.0.101 DST=192.168.0.200 LEN=48 TOS=0x00 PREC=0x00 TTL=127 > ID=32273 DF PROTO=TCP SPT=1382 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 > Oct 16 04:29:41 julia kernel: net log entry IN=eth1 OUT=eth0 > SRC=192.168.0.101 DST=192.168.0.200 LEN=48 TOS=0x00 PREC=0x00 TTL=127 > ID=32785 DF PROTO=TCP SPT=1382 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 > Oct 16 04:29:53 julia kernel: net log entry IN=eth1 OUT=eth0 > SRC=192.168.0.101 DST=192.168.0.200 LEN=48 TOS=0x00 PREC=0x00 TTL=127 > ID=43025 DF PROTO=TCP SPT=1382 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 > root@julia /home/generic $ iptables -L -t nat -nv > Chain PREROUTING (policy ACCEPT 37 packets, 2304 bytes) > pkts bytes target prot opt in out source > destination > 0 0 DNAT tcp -- eth1 * 0.0.0.0/0 > 192.168.0.4 tcp dpt:25 to:192.168.0.200:25 > 1 48 DNAT tcp -- eth1 * 0.0.0.0/0 > 192.168.0.4 tcp dpt:80 to:192.168.0.200:80 > 0 0 DNAT tcp -- eth1 * 0.0.0.0/0 > 192.168.0.4 tcp dpt:110 to:192.168.0.200:110 > Chain POSTROUTING (policy ACCEPT 20 packets, 1112 bytes) > pkts bytes target prot opt in out source > destination > 0 0 SNAT all -- * eth1 0.0.0.0/0 > 0.0.0.0/0 to:192.168.0.4 > Chain OUTPUT (policy ACCEPT 10 packets, 632 bytes) > pkts bytes target prot opt in out source > destination > _______________________________________________ > CLUE-Tech mailing list > CLUE-Tech@clue.denver.co.us > http://clue.denver.co.us/mailman/listinfo/clue-tech -- Jim Ockers (ockers@ockers.net) Contact info: please see http://www.ockers.net/ Fight Spam! Join CAUCE (Coalition Against Unsolicited Commercial Email) at http://www.cauce.org/ .