[kinda-wild-guess]
When playing with iptables and NAT I experienced something similar. The problem was that Apache was set to listen only on 192.168.1.1 interface.
The Apache machine (192.168.10.31) isn't configured to listen to any single address, just port 80. (Default settings).
Can you show a tail of error_log, to see if the request gets to Apache and how does it try to solve it?
Since I'm using the stock SuSE install on the web server, I connected from my home machine using internet explorer, and browsed to the /usr/doc link and from there to howto, en, html, and tried to display: "3Dfx-HOWTO-1.html" There doesn't appear to be anything about that file failing in /var/log/httpd/error /var/log/httpd/access shows this: The address of my home machine has been masked with ee.ff.gg.hh ee.ff.gg.hh - - [10/Aug/2001:16:43:23 -0500] "GET /doc/ HTTP/1.0" 200 1284 ee.ff.gg.hh - - [10/Aug/2001:16:43:25 -0500] "GET /doc/howto/ HTTP/1.0" 200 545 ee.ff.gg.hh - - [10/Aug/2001:16:43:27 -0500] "GET /doc/howto/en/ HTTP/1.0" 200 559 ee.ff.gg.hh - - [10/Aug/2001:16:43:30 -0500] "GET /doc/howto/en/html/ HTTP/1.0" 200 122277 ee.ff.gg.hh - - [10/Aug/2001:16:46:43 -0500] "GET /doc/howto/en/html/ HTTP/1.0" 200 157131 Everything _looks_ normal here, doesn't it?
If you don't see any entries in the log, then it's a configuration problem I guess.
And it's probably something at the firewall, since machines on the internal network (192.168.1.0/24) and the DMZ (192.168.10.0/24) can see the pages served up by 192.168.10.31 just fine. Note: Machines on the internal masqueraded network at 192.168.1.0/24 go to the pages by looking at 192.168.1.1 on port 80, which is port forwarded through to 192.168.10.31 on port 80. Here's the SuSEfirewall 4.9 section that deals with that: aa.bb.cc.0 is a bank of machines we trust enough to open port forwarding up to the web server on 192.168.10.31. Again, ee.ff.gg.hh is my home machine. We also allow any machine on the internal network (192.168.1.0/24) or the DMZ (192.168.10.0/24) to get to the web server. We use a masq of 192.168.0.0/16 to accomplish this. FW_FORWARD_MASQ_TCP=" \ aa.bbb.cc.0/24,192.168.10.31,http \ 192.168.0.0/16,192.168.10.31,http \ ee.ff.gg.hh/32,192.168.10.31,http \ aa.bb.cc.0/24,192.168.10.31,https \ 192.168.0.0/16,192.168.10.31,https \ ee.ff.gg.hh/32,192.168.10.31,https" There's other things in that forward line, but they usually involve alternate listening ports for SSH connections from the outside world and the like.
Also, how are you testing it? Aren't you using a proxy or something.
See above. I'm happy to provide more evidence/logs... -- Argentium G. Tiger (agtiger@kc.rr.com) "Walkin' through Hell in a gasoline suit."