re nat masquerade router
fedora
fedora at christopherrussell.net
Tue Jun 15 18:51:06 UTC 2004
Thanks for your help so far-
still no luck with the Host web browser.
1_ How should I enter that last -s !?
#"iptables -A INPUT -s ! 192.168.0.0/16 -j DROP " ...?
2_ Here's what I have done so far...
a) the Host at 192.168.1.10 can ping the Router at 192.168.1.1
successfully without packet loss.
b) removed default gateway for router eth1 (thanks rodolfo paiz)
c) edited /etc/hosts (thanks rodolfo paiz)
d) flushed rules and reset, without the "-s !"
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT
# iptables -A FORWARD -d 192.168.0.0/16 -j ACCEPT
e) checked it worked
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/16 anywhere
ACCEPT all -- anywhere 192.168.0.0/16
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
f) restart nw
# /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down interface eth1: [ OK ]
Shutting down loopback interface: [ OK ]
Disabling IPv4 packet forwarding: [ OK ]
Setting network parameters: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
Bringing up interface eth1: [ OK ]
Result: Still no luck with web browser from Host.
anything else I should try?
Or go straight to another tool, as others have suggested?
Thanks to all other suggestions,
Chris
<original message>
Subject: Re: nat masquerade router
To: For users of Fedora Core releases <fedora-list at redhat.com>
Message-ID: <1087321492.3543.75.camel at serendipity.dogma.lan>
Content-Type: text/plain; charset="us-ascii"
Am Di, den 15.06.2004 schrieb Michael Floyd um 19:29:
> Well I see that your using a 24 bit subnet mask ( 255.255.255.0 ) not
a 16
> bit ( 255.255.0.0 )
> It would be your firewall rules that are blocking you.....
Right.
> These two lines......
> # iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT# iptables -A FORWARD
> -d 192.168.0.0/16 -j ACCEPT
> # iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP
>
> the ip's should be 192.168.1.0/24 not 192.168.0.0/16
> the way it's writen, you drop everthing on your subnet.
No :) That doesn't matter. 192.168.0.0/16 includes the 192.168.1.0/24
net. He is just bit more permissive than it needs. But does no harm.
What is causing the blocking is:
iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP
It drops all incoming traffic not being from the private address range.
Thus packages from public internet are dropped.
What you intend is better placed to the INPUT chain.
> Michael Floyd
Alexander
</original message>
More information about the fedora-list
mailing list