verworfene Pakete bei DNAT in DMZ

Hi everyone,

there are several threads concerning similar problems, however I was so far unable to derive a soklution from these.

I am running a setup with Astaro 8.202 as a virtual appliance with 3 interfaces (eht0:interanl, eth1:external, eth2:dmz)
To access a web server located within the dmz from the internet, I created a DNAT rule with

any --> http --> add.IP for external Interface --> DNAT --> Web-Server's IP in DMZ
The options for logging initial packets and creating the appropriate firewall rules automatically were checked as well.

Accessing the webserver from the internal network works flawlessly, so I assume that routing out of the DMZ is configured correctly.
To allow internet access from the DMZ, I also created a masquerading rule with an ip-address identical with the external IP set in the DNAT-rule to hide behind.

In the firewall live log packets to be forwarded into the DMZ are blocked by the default drop rule.

For further classification please see attached screenshots.

Could anybody please give me a hint into the right direction ?

Regards

Tobias

Attached Images

	Firewall_Live-Log.jpg (31.3 KB)
	Firewall-Regel.jpg (39.8 KB)
	Masquerading.jpg (13.1 KB)
	NAT-Regel.jpg (48.2 KB)