nat masquerade router
Erik Espinoza
erik.espinoza at gmail.com
Tue Jun 15 17:58:49 UTC 2004
This is how i do it on a box that has Taolinux, I imagine it would be
the same on Fedora:
## /etc/sysconfig/itpables
*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# EOF
In addition I had to add the following into my /etc/sysctl.conf:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Try this configuration out, let me know if it works for you.
Erik
On Tue, 15 Jun 2004 13:54:02 -0400, Michael Floyd <michael.floyd at cgi.com> wrote:
>
> Well, at least I tried.
> I was along the right lines though and Rodolfo J. Paiz hit it right on the
> head.
> I think I'll just stick to reading instead of awnsering.
>
> And BTW. I agree with the "FC2 Issues" thread.... Those kind of bugs should
> NOT make it into a offical release that isn't an RC.
> ( alas, I too was bitten by the duel boot bug and so where quite a few
> others that I know. )
>
>
>
> -----Original Message-----
> From: fedora-list-bounces at redhat.com
> [mailto:fedora-list-bounces at redhat.com]On Behalf Of Alexander Dalloz
> Sent: June 15, 2004 1:45 PM
> To: For users of Fedora Core releases
> Subject: Re: nat masquerade router
>
> Am Di, den 15.06.2004 schrieb Michael Floyd um 19:29:
>
> > Well I see that your using a 24 bit subnet mask ( 255.255.255.0 ) not a 16
> > bit ( 255.255.0.0 )
> > It would be your firewall rules that are blocking you.....
>
> Right.
>
> > These two lines......
> > # iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT# iptables -A FORWARD
> > -d 192.168.0.0/16 -j ACCEPT
> > # iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP
> >
> > the ip's should be 192.168.1.0/24 not 192.168.0.0/16
> > the way it's writen, you drop everthing on your subnet.
>
> No :) That doesn't matter. 192.168.0.0/16 includes the 192.168.1.0/24
> net. He is just bit more permissive than it needs. But does no harm.
>
> What is causing the blocking is:
>
> iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP
>
> It drops all incoming traffic not being from the private address range.
> Thus packages from public internet are dropped.
>
> What you intend is better placed to the INPUT chain.
>
> > Michael Floyd
>
> Alexander
>
> --
> Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
> Fedora GNU/Linux Core 2 (Tettnang) on Athlon CPU kernel 2.6.6-1.435
> Serendipity 19:36:44 up 16:03, 8 users, 0.31, 0.29, 0.31
>
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
More information about the fedora-list
mailing list