[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

re nat masquerade router



Thanks for your help so far-
still no luck with the Host web browser.

1_ How should I enter that last -s !?
#"iptables -A INPUT -s ! 192.168.0.0/16 -j DROP "  ...?

2_ Here's what I have done so far...

a) the Host at 192.168.1.10 can ping the Router at 192.168.1.1
successfully without packet loss.

b) removed default gateway for router eth1 (thanks rodolfo paiz)
c) edited /etc/hosts (thanks rodolfo paiz)

d) flushed rules and reset, without the "-s !"
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT
# iptables -A FORWARD -d 192.168.0.0/16 -j ACCEPT

e) checked it worked
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
ACCEPT     all  --  192.168.0.0/16       anywhere
ACCEPT     all  --  anywhere             192.168.0.0/16
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW
tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW
tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW
tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW
tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with
icmp-host-prohibited

f) restart nw
# /etc/init.d/network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down interface eth1:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Disabling IPv4 packet forwarding:                          [  OK  ]
Setting network parameters:                                [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                [  OK  ]
Bringing up interface eth1:                                [  OK  ]


Result: Still no luck with web browser from Host.

anything else I should try?
Or go straight to another tool, as others have suggested?
Thanks to all other suggestions,

Chris

<original message>
Subject: Re: nat masquerade router
To: For users of Fedora Core releases <fedora-list redhat com>
Message-ID: <1087321492 3543 75 camel serendipity dogma lan>
Content-Type: text/plain; charset="us-ascii"

Am Di, den 15.06.2004 schrieb Michael Floyd um 19:29:

> Well I see that your using a 24 bit subnet mask ( 255.255.255.0 ) not
a 16
> bit ( 255.255.0.0 )
> It would be your firewall rules that are blocking you.....

Right.

> These two lines......
> # iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT# iptables -A FORWARD
> -d 192.168.0.0/16 -j ACCEPT
> # iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP
> 
> the ip's should be 192.168.1.0/24 not 192.168.0.0/16
> the way it's writen, you drop everthing on your subnet.

No :) That doesn't matter. 192.168.0.0/16 includes the 192.168.1.0/24
net. He is just bit more permissive than it needs. But does no harm.

What is causing the blocking is:

iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP

It drops all incoming traffic not being from the private address range.
Thus packages from public internet are dropped.

What you intend is better placed to the INPUT chain.

> Michael Floyd

Alexander
</original message>



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]