set up NAT (network address translation) on local server
Antonio Olivares
olivares14031 at yahoo.com
Thu Nov 20 14:39:58 UTC 2008
--- On Thu, 11/20/08, Christopher K. Johnson <ckjohnson at gwi.net> wrote:
> From: Christopher K. Johnson <ckjohnson at gwi.net>
> Subject: Re: set up NAT (network address translation) on local server
> To: "Community assistance, encouragement, and advice for using Fedora." <fedora-list at redhat.com>
> Date: Thursday, November 20, 2008, 5:52 AM
> Does /etc/sysconfig/iptables actually contain the lines
>
> *nat
> :PREROUTING ACCEPT [1:233]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j
> SNAT --to-source 10.154.19.210 COMMIT
>
It seems that it does not contain those lines :(
[root at localhost ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
where should I add those lines on top or below?
> It seems unlikely that it was written correctly since the
> restart did not implement your SNAT rule, and this file is
> what a restart reads. Perhaps there is a bug in
> iptables-save? I edit /etc/sysconfig/iptables directly, and
> recommend that if you are not using some firewall front-end
> or tool to do this, that you do the same.
>
> There is another problem in the rules you listed. It would
> not prevent the SNAT rule from being implemented, so this is
> an unrelated problem. But it would prevent the forwarding
> you wanted:
>
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -i eth1 -o eth0 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
>
> Note that the REJECT is above your ACCEPT rules. You need
> to move it below them because the REJECT is very general and
> will catch everything, preventing the ACCEPT rules from
> being applied.
>
> -A FORWARD -i eth1 -o eth0 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>
> I presume from the addresses that this is natting one
> private network onto another private network. So this last
> note is not critical as it would be if connecting onto the
> Internet. Once you get this working as you intended, I
> recommend you alter or remove these rules too, depending on
> whether you wish people on the 10 network to have access to
> services on your server:
>
> # Permit IPSEC peer communications. Unless you are
> configuring IPSEC tunnels, you should comment these out.
> #-A RH-Firewall-1-INPUT -p esp -j ACCEPT
> #-A RH-Firewall-1-INPUT -p ah -j ACCEPT
>
> # Permit hosts to announce themselves to the
> avahi-daemon's multicast dns service
> -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp
> --dport 5353 -j ACCEPT
>
> # Permit connections to the CUPS service (successful
> connections may be governed by the CUPS config)
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>
> # Permit access to the ssh server. There is nothing wrong
> with that as long as you harden /etc/ssh/sshd_config
> # to be more restrictive. By default it allows password
> authentication of all users including root, and
> # other service accounts.
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp
> --dport 22 -j ACCEPT
>
>
>
> Antonio Olivares wrote:
> > *nat
> :PREROUTING ACCEPT [1:233]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A POSTROUTING -s 192.168.1.0/24 -o
> eth0 -j SNAT --to-source 10.154.19.210 COMMIT
> #
> Completed on Thu Nov 20 06:52:04 2008
> # Generated by iptables-save v1.4.1.1 on Thu Nov
> 20 06:52:04 2008 *filter
> :INPUT ACCEPT [0:0]
>
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [8:452]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j
> RH-Firewall-1-INPUT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -i eth1 -o eth0 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> > -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any
> -j ACCEPT
> > -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> > -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> > -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp
> --dport 5353 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j
> ACCEPT
> > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j
> ACCEPT
> > -A RH-Firewall-1-INPUT -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m
> tcp --dport 22 -j ACCEPT
> > -A RH-Firewall-1-INPUT -j REJECT --reject-with
> icmp-host-prohibited
> > COMMIT
> > # Completed on Thu Nov 20 06:52:04 2008
> >
>
>
> -- "A society grows great when old men plant trees
> whose shade they know
> they shall never sit in" - Greek Proverb
>
> -- fedora-list mailing list
I will need to edit the file manually and save it. Then try it again.
Regards,
Antonio
More information about the fedora-list
mailing list