set up NAT (network address translation) on local server
Christopher K. Johnson
ckjohnson at gwi.net
Thu Nov 20 13:52:59 UTC 2008
Does /etc/sysconfig/iptables actually contain the lines
*nat
:PREROUTING ACCEPT [1:233]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210
COMMIT
It seems unlikely that it was written correctly since the restart did
not implement your SNAT rule, and this file is what a restart reads.
Perhaps there is a bug in iptables-save? I edit
/etc/sysconfig/iptables directly, and recommend that if you are not
using some firewall front-end or tool to do this, that you do the same.
There is another problem in the rules you listed. It would not prevent
the SNAT rule from being implemented, so this is an unrelated problem.
But it would prevent the forwarding you wanted:
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
Note that the REJECT is above your ACCEPT rules. You need to move it
below them because the REJECT is very general and will catch everything,
preventing the ACCEPT rules from being applied.
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
I presume from the addresses that this is natting one private network
onto another private network. So this last note is not critical as it
would be if connecting onto the Internet. Once you get this working as
you intended, I recommend you alter or remove these rules too, depending
on whether you wish people on the 10 network to have access to services
on your server:
# Permit IPSEC peer communications. Unless you are configuring IPSEC tunnels, you should comment these out.
#-A RH-Firewall-1-INPUT -p esp -j ACCEPT
#-A RH-Firewall-1-INPUT -p ah -j ACCEPT
# Permit hosts to announce themselves to the avahi-daemon's multicast dns service
-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
# Permit connections to the CUPS service (successful connections may be governed by the CUPS config)
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
# Permit access to the ssh server. There is nothing wrong with that as long as you harden /etc/ssh/sshd_config
# to be more restrictive. By default it allows password authentication of all users including root, and
# other service accounts.
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Antonio Olivares wrote:
> *nat
> :PREROUTING ACCEPT [1:233]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210
> COMMIT
> # Completed on Thu Nov 20 06:52:04 2008
> # Generated by iptables-save v1.4.1.1 on Thu Nov 20 06:52:04 2008
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [8:452]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -i eth1 -o eth0 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Thu Nov 20 06:52:04 2008
>
--
"A society grows great when old men plant trees whose shade they know
they shall never sit in" - Greek Proverb
More information about the fedora-list
mailing list