RH9, NAT and routing

Pete Nesbitt pete at linux1.ca
Tue Jun 8 01:12:10 UTC 2004 

On June 7, 2004 02:26 pm, Bob Smith wrote:
> I'm trying to set up my local network so that my RH9 box acts as a router
> between my LAN and the Internet via a DSL connection.  The DSL connection
> is solid and working, and I have no problems accessing the Web.  I think
> that I set the operation up correctly, but it's not working, hence my yelp
> for help...
>
> The DSL modem is accessed via eth0, the LAN via eth1.  Traffic on either
> side works well, and I have DNS working such that I can access DNS values
> for sites not in my local DNS configuration throughout my LAN.  The
> exterior network values are correct for the DSL connection and the
> network connection values for the ISP.
>
> I used the RHCE study manual as a guide, and did the following:
>
> In IP tables, created a forwarding rule, as it appears in this excerpt
> from the file:
>
> *nat
> -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
>
> In /etc/sysctl.conf, I turned on forwarding:
> net.ipv4.ip_forward = 1
>
> After reboot, the /proc/sys/net/ipv4/ip_forward file has a value of 1.
>
> I set up ftp as recommended in the manual:
>
> /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp
>
> At this point, I can get any DNS query vi nslookup that I want, and get a
> return value.  However, I cannot FTP out, I can't get out via web browser,
> and ping returns "Request timed out."  Traffic within the LAN is fine, and
> traffic up to the Internet is fine.
>
> So, I'm thinking that I need some kind of either forwarding or routing
> rule to be configured for one of the ethernet card interfaces to allow
> forwarding.  I checked with Evi's Linux Sys Admin book, and I think the
> routing rules are correct, but I'm not sure.
>
> Any help would be appreciated.
>
> Thanks,
>
> -Bob


Hi,
I have a similar fw (but 3 nics). 
here is the basic sequence of the pertinent rules from my fw to let LAN 
traffic out. Depending on your comfort level, using firestarter may be 
preferred. These are only a few of a complete set.

# Default deny all inbound & forwards.
# probably just allow all out, your discretion, but if you deny all outbound
# you won't contribute to DD0S, just make last one DENY as well then
# allow the desired services out.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# outbound LAN connections are all masquaraded
$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -s $LAN_RANGE -j MASQUERADE

# allow existing communications to continue
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# forward 
$IPTABLES -A FORWARD -i $LAN_IF -s $LAN_RANGE  -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# I end each section (input, forward, output) with log and drop, here the
# forward set
$IPTABLES -A FORWARD -m limit -j LOG --log-prefix "NetF FORWARD CHAIN: "
$IPTABLES -A FORWARD -j DROP

Of course, there should be other rules in place, but this should allow 
successful outbound connections from your LAN. 

Hope that helps.
-- 
Pete Nesbitt, rhce

More information about the redhat-list mailing list