set up NAT (network address translation) on local server

Rick Stevens ricks at nerd.com
Fri Nov 21 18:17:37 UTC 2008


Robin Laing wrote:
> Antonio Olivares wrote:
>> --- On Thu, 11/20/08, Christopher K. Johnson <ckjohnson at gwi.net> wrote:
>>
>>> From: Christopher K. Johnson <ckjohnson at gwi.net>
>>> Subject: Re: set up NAT (network address translation) on local server
>>> To: "Community assistance, encouragement, and advice for using 
>>> Fedora." <fedora-list at redhat.com>
>>> Date: Thursday, November 20, 2008, 10:27 AM
>>> It appears from your email that there was an editing error
>>> at the COMMIT or line after.
>>> Perhaps instead of a line-end on those lines it has spaces
>>> and wrapped them into one long line?
>>> Could happen from copy and paste depending on
>>> circumstances.
>>> Check that each rule is on its own line.
>>>
>>
>> I reset the iptables back to the original condition and added them, 
>> but still no joy :(
>>
>>
>> [root at localhost ~]# gedit /etc/sysconfig/iptables &            [1] 
>> 8516                                                       
>> [root at localhost ~]# service iptables stop
>> iptables: Flushing firewall rules:                         [  OK  ]
>> iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
>> iptables: Unloading modules:                               [  OK  ]
>> [root at localhost ~]# service iptables restart
>> iptables: Flushing firewall rules:                         [  OK  ]
>> iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
>> iptables: Unloading modules:                               [  OK  ]
>> iptables: Applying firewall rules: Bad argument `iptables'         
>> Error occurred at line: 2                                          Try 
>> `iptables-restore -h' or 'iptables-restore --help' for more information.
>>                                                            
>> [FAILED]         [root at localhost ~]# service iptables stop
>> iptables: Flushing firewall rules:                         [  OK  ]
>> iptables: Setting chains to policy ACCEPT: nat filter      [  OK  ]
>> iptables: Unloading modules:                               [  OK  ]
>> [root at localhost ~]# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT 
>> [1]+  Done                    gedit /etc/sysconfig/iptables       
>> [root at localhost ~]# iptables -A FORWARD -i eth0 -o eth1 -m state 
>> --state ESTABLISHED,RELATED -j 
>> ACCEPT                                                          
>> [root at localhost ~]# iptables -A POSTROUTING -t nat -s 192.168.1.0/24 
>> -o eth0 -j SNAT --to-source 
>> 10.154.19.210                                          [root at localhost 
>> ~]# iptables-save
>> # Generated by iptables-save v1.4.1.1 on Thu Nov 20 13:14:50 2008
>> *nat                                                             
>> :PREROUTING ACCEPT [5:692]                                       
>> :POSTROUTING ACCEPT [0:0]                                        
>> :OUTPUT ACCEPT [0:0]                                             -A 
>> POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 
>> 10.154.19.210 
>> COMMIT                                                                     
>> # Completed on Thu Nov 20 13:14:50 
>> 2008                                    # Generated by iptables-save 
>> v1.4.1.1 on Thu Nov 20 13:14:50 2008          
>> *filter                                                                    
>> :INPUT ACCEPT 
>> [2483:1813687]                                               :FORWARD 
>> ACCEPT [0:0]                                                      
>> :OUTPUT ACCEPT 
>> [2598:1049836]                                              -A FORWARD 
>> -i eth1 -o eth0 -j ACCEPT                                       -A 
>> FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j 
>> ACCEPT  
>> COMMIT                                                                     
>> # Completed on Thu Nov 20 13:14:50 
>> 2008                                    [root at localhost ~]# service 
>> iptables restart
>> iptables: Flushing firewall rules:                         [  OK  ]
>> iptables: Setting chains to policy ACCEPT: nat filter      [  OK  ]
>> iptables: Unloading modules:                               [  OK  ]
>> iptables: Applying firewall rules:                         [  OK  ]
>> iptables: Loading additional modules: ip_conntrack_netbios_[  OK  ]
>> [root at localhost ~]# service dhcpd start                            
>> Starting dhcpd:                                            [  OK  ]
>> [root at localhost ~]#
>>
>> The iptables get back to original state.  error in iptables-save ?/bug
>> [root at localhost ~]# cat /etc/sysconfig/iptables
>> # Firewall configuration written by system-config-securitylevel
>> # Manual customization of this file is not recommended.
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> :RH-Firewall-1-INPUT - [0:0]
>> -A INPUT -j RH-Firewall-1-INPUT
>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>>
>>
>>
>> Thanks,
>>
>> Antonio
>>
>>      
> 
> I fought with iptables on my desktop doing this and found a link that 
> described and issue with Fedora resetting the iptables on each reboot. 
> It provided a way to create an iptables modification init.d procedure 
> for just this problem.  It works like a dream.
> 
> 
> Sorry I don't have the link as it is at home.

It's really simple.  When "service iptables start" is run at boot time,
the system runs

	iptables-restore </etc/sysconfig/iptables

to restore the configuration.  In /etc/sysconfig/iptables-config, if you
change the following lines to these:

	IPTABLES_SAVE_ON_STOP = "yes"
	IPTABLES_SAVE_ON_RESTART = "yes"

(by default they're set to "no"), you will cause the system to run

	iptables-save >/etc/sysconfig/iptables

when "system iptables stop|restart" is run ("restart" is really a "stop"
followed by a "start").  This will save any changes made to the running
rules by the iptables command before iptables is actually stopped.

You can run the above command manually after futzing with your config
using the iptables command to make sure they get saved, too.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks at nerd.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-           "I understand Windows 2000 has a Y2K problem."           -
----------------------------------------------------------------------




More information about the fedora-list mailing list