nat masquerade router
Erik Espinoza
erik.espinoza at gmail.com
Tue Jun 15 18:09:40 UTC 2004
By the way, my post assumes that eth0 is the public interface with
access to the internet and eth1 is the private network. Else switch
all occurence of eth0 to eth1 and vice versa.
On Tue, 15 Jun 2004 10:58:49 -0700, Erik Espinoza
<erik.espinoza at gmail.com> wrote:
>
> This is how i do it on a box that has Taolinux, I imagine it would be
> the same on Fedora:
>
> ## /etc/sysconfig/itpables
> *nat
> -A POSTROUTING -o eth0 -j MASQUERADE
> COMMIT
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD DROP [0:0]
> -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A FORWARD -i eth1 -o eth0 -j ACCEPT
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # EOF
> In addition I had to add the following into my /etc/sysctl.conf:
>
> # Controls IP packet forwarding
> net.ipv4.ip_forward = 1
>
> Try this configuration out, let me know if it works for you.
>
> Erik
>
>
>
>
> On Tue, 15 Jun 2004 13:54:02 -0400, Michael Floyd <michael.floyd at cgi.com> wrote:
> >
> > Well, at least I tried.
> > I was along the right lines though and Rodolfo J. Paiz hit it right on the
> > head.
> > I think I'll just stick to reading instead of awnsering.
> >
> > And BTW. I agree with the "FC2 Issues" thread.... Those kind of bugs should
> > NOT make it into a offical release that isn't an RC.
> > ( alas, I too was bitten by the duel boot bug and so where quite a few
> > others that I know. )
> >
> >
> >
> > -----Original Message-----
> > From: fedora-list-bounces at redhat.com
> > [mailto:fedora-list-bounces at redhat.com]On Behalf Of Alexander Dalloz
> > Sent: June 15, 2004 1:45 PM
> > To: For users of Fedora Core releases
> > Subject: Re: nat masquerade router
> >
> > Am Di, den 15.06.2004 schrieb Michael Floyd um 19:29:
> >
> > > Well I see that your using a 24 bit subnet mask ( 255.255.255.0 ) not a 16
> > > bit ( 255.255.0.0 )
> > > It would be your firewall rules that are blocking you.....
> >
> > Right.
> >
> > > These two lines......
> > > # iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT# iptables -A FORWARD
> > > -d 192.168.0.0/16 -j ACCEPT
> > > # iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP
> > >
> > > the ip's should be 192.168.1.0/24 not 192.168.0.0/16
> > > the way it's writen, you drop everthing on your subnet.
> >
> > No :) That doesn't matter. 192.168.0.0/16 includes the 192.168.1.0/24
> > net. He is just bit more permissive than it needs. But does no harm.
> >
> > What is causing the blocking is:
> >
> > iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP
> >
> > It drops all incoming traffic not being from the private address range.
> > Thus packages from public internet are dropped.
> >
> > What you intend is better placed to the INPUT chain.
> >
> > > Michael Floyd
> >
> > Alexander
> >
> > --
> > Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
> > Fedora GNU/Linux Core 2 (Tettnang) on Athlon CPU kernel 2.6.6-1.435
> > Serendipity 19:36:44 up 16:03, 8 users, 0.31, 0.29, 0.31
> >
> >
> > --
> > fedora-list mailing list
> > fedora-list at redhat.com
> > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> >
>
More information about the fedora-list
mailing list