[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: nat masquerade router



By the way, my post assumes that eth0 is the public interface with
access to the internet and eth1 is the private network. Else switch
all occurence of eth0 to eth1 and vice versa.

On Tue, 15 Jun 2004 10:58:49 -0700, Erik Espinoza
<erik espinoza gmail com> wrote:
> 
> This is how i do it on a box that has Taolinux, I imagine it would be
> the same on Fedora:
> 
> ## /etc/sysconfig/itpables
> *nat
> -A POSTROUTING -o eth0 -j MASQUERADE
> COMMIT
> 
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD DROP [0:0]
> -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A FORWARD -i eth1 -o eth0 -j ACCEPT
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # EOF
> In addition I had to add the following into my /etc/sysctl.conf:
> 
> # Controls IP packet forwarding
> net.ipv4.ip_forward = 1
> 
> Try this configuration out, let me know if it works for you.
> 
> Erik
> 
> 
> 
> 
> On Tue, 15 Jun 2004 13:54:02 -0400, Michael Floyd <michael floyd cgi com> wrote:
> >
> > Well, at least I tried.
> > I was along the right lines though and Rodolfo J. Paiz hit it right on the
> > head.
> > I think I'll just stick to reading instead of awnsering.
> >
> > And BTW. I agree with the "FC2 Issues" thread.... Those kind of bugs should
> > NOT make it into a offical release that isn't an RC.
> > ( alas, I too was bitten by the duel boot bug and so where quite a few
> > others that I know. )
> >
> >
> >
> > -----Original Message-----
> > From: fedora-list-bounces redhat com
> > [mailto:fedora-list-bounces redhat com]On Behalf Of Alexander Dalloz
> > Sent: June 15, 2004 1:45 PM
> > To: For users of Fedora Core releases
> > Subject: Re: nat masquerade router
> >
> > Am Di, den 15.06.2004 schrieb Michael Floyd um 19:29:
> >
> > > Well I see that your using a 24 bit subnet mask ( 255.255.255.0 ) not a 16
> > > bit ( 255.255.0.0 )
> > > It would be your firewall rules that are blocking you.....
> >
> > Right.
> >
> > > These two lines......
> > > # iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT# iptables -A FORWARD
> > > -d 192.168.0.0/16 -j ACCEPT
> > > # iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP
> > >
> > > the ip's should be 192.168.1.0/24 not 192.168.0.0/16
> > > the way it's writen, you drop everthing on your subnet.
> >
> > No :) That doesn't matter. 192.168.0.0/16 includes the 192.168.1.0/24
> > net. He is just bit more permissive than it needs. But does no harm.
> >
> > What is causing the blocking is:
> >
> > iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP
> >
> > It drops all incoming traffic not being from the private address range.
> > Thus packages from public internet are dropped.
> >
> > What you intend is better placed to the INPUT chain.
> >
> > > Michael Floyd
> >
> > Alexander
> >
> > --
> > Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
> > Fedora GNU/Linux Core 2 (Tettnang) on Athlon CPU kernel 2.6.6-1.435
> > Serendipity 19:36:44 up 16:03, 8 users, 0.31, 0.29, 0.31
> >
> >
> > --
> > fedora-list mailing list
> > fedora-list redhat com
> > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> >
>



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]