You are a network administrator for a medium-sized company. The company has a Linux server acting as a router/firewall with three network interfaces: eth0 (public, 203.0.113.2/24, gateway 203.0.113.1), eth1 (DMZ, 10.0.1.1/24), and eth2 (internal, 192.168.1.1/24). The DMZ hosts a web server with IP 10.0.1.100, and the internal network has client machines. The firewall rules are currently set to default DROP on INPUT and FORWARD, ACCEPT on OUTPUT. The administrator wants to allow internal clients (192.168.1.0/24) to access the web server (10.0.1.100) on port 80. Additionally, the administrator wants to allow external users (from the internet) to access the web server's public IP (203.0.113.2) on port 80, which should be DNATed to 10.0.1.100. The administrator has enabled IP forwarding and added the following rules: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.100:80 iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 80 -j ACCEPT Internal clients cannot access the web server. External users are able to access the web server successfully. What is the most likely reason internal clients cannot access the web server?
Internal traffic uses eth2 as input interface, so DNAT rule does not trigger; the destination remains the public IP, which is not local.
Why this answer
The DNAT rule is placed in the PREROUTING chain of the nat table, which only processes packets arriving on the specified interface (eth0). Internal clients (192.168.1.0/24) sending traffic to the web server (10.0.1.100) do not enter via eth0; they are routed through eth2. Therefore, the DNAT rule never matches their packets, and the destination remains 10.0.1.100, which is directly reachable without NAT.
However, the FORWARD rules only allow traffic from eth0 to eth1 and back, so internal client traffic from eth2 to eth1 is implicitly dropped by the default FORWARD policy, causing the failure.
Exam trap
The trap here is that candidates assume DNAT rules apply to all incoming traffic regardless of interface, but PREROUTING rules are interface-specific, and internal traffic bypasses them entirely.
How to eliminate wrong answers
Option B is wrong because the web server in the DMZ can route back to internal clients via the router's eth1 interface; the router has a route to 192.168.1.0/24 via eth2, so return traffic is not blocked by routing. Option C is wrong because the FORWARD rule for return traffic matches packets with source port 80, regardless of destination; the issue is not the return rule but the lack of a forward rule for the initial connection from eth2 to eth1. Option D is wrong because IP forwarding is enabled globally (the administrator enabled it), and it applies to all interfaces; there is no per-interface setting for IP forwarding in Linux.