hi. my friend's network has a lotus domino server having both a public ip and a lan ip. he asked me to setup a linux firewall and put the lotus domino server behind it, while maintaining accessibility from the outside via port forwarding.

the domino server's public ip is xxx.xxx.103.29 and its LAN ip is 10.10.0.1. the firewall's public ip is xxx.xxx.103.26 and its LAN ip is 10.10.0.50. i issued a couple of iptables command like this:

Code:
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source xxx.xxx.103.26
# iptables -t nat -A PREROUTING -i eth0 -p tcp -d xxx.xxx.103.26 --dport 80 -j DNAT --to-destination 10.10.0.1:80
i fired up a web browser (from another public ip) to http://xxx.xxx.103.26 and it timed out. there is another box on the lan, 10.10.0.3, but this has no public ip. it has port 80 open (smc wireless network manager web interface), and i thought i can use it for testing.

Code:
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source xxx.xxx.103.26
# iptables -t nat -A PREROUTING -i eth0 -p tcp -d xxx.xxx.103.26 --dport 80 -j DNAT --to-destination 10.10.0.3:80
fired up a browser and it connected successfully. this time i thought that the problem is beyond my iptables syntax. i nmapped both public ip's, and i noticed something.

[root@localhost ~]# nmap xxx.xxx.103.26
22/tcp open ssh
25/tcp filtered smtp
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1080/tcp filtered socks
1720/tcp filtered H.323/Q.931
6112/tcp filtered dtspc
this is kinda odd since the firewall is running linux, and the only open port on it is 22.

[root@localhost ~]# nmap xxx.xxx.103.29
25/tcp filtered smtp
80/tcp open http
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1027/tcp open IIS
1080/tcp filtered socks
1352/tcp open lotusnotes
1720/tcp filtered H.323/Q.931
2105/tcp open eklogin
3389/tcp open ms-term-serv
looking from the outside (internet), the domino server has the 'filtered' ports just like the firewall. the only thing similar to both of them is the gateway ip. here's the gateway's nmap result:

[root@localhost ~]# nmap xxx.xxx.103.25
25/tcp filtered smtp
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1080/tcp filtered socks
1720/tcp filtered H.323/Q.931

i might be wrong but i came into conclusion that the gateway has something to do with the firewall not being able to do port-forwarding on computers with both public and private interfaces, with the public interface passing thru the gateway. at first i thought it was safe to leave the public ip on the domino server running since i was at the stage of 'seeing if stuff works' then. but still i admit i lack a lot of knowledge in ip/packet filtering and i need advice as much as i can get.

questions:

1. is it safe to assume that if i turn off the public interface on the domino server, run services on the lan scope, and do port forwarding from the gateway, this specific problem will go away?

2. what could be the exact reason why i cant do port-forwarding to the domino's lan ip while the public ip is active? why can i do port forwarding on the smc server (not on any public ip) and localhost(firewall), but not on a computer within the lan with public ip?

im sorry for the long post, hoping for all your help.