re nat masquerade router
Erik Espinoza
erik.espinoza at gmail.com
Tue Jun 15 19:27:42 UTC 2004
Have you tried the config file I sent you for /etc/sysconfig/iptables
earlier? I tested it on my Fedora Core 2 box and confirmed that it
works fine in Fedora.
Erik
On Tue, 15 Jun 2004 14:51:06 -0400, fedora
<fedora at christopherrussell.net> wrote:
>
> Thanks for your help so far-
> still no luck with the Host web browser.
>
> 1_ How should I enter that last -s !?
> #"iptables -A INPUT -s ! 192.168.0.0/16 -j DROP " ...?
>
> 2_ Here's what I have done so far...
>
> a) the Host at 192.168.1.10 can ping the Router at 192.168.1.1
> successfully without packet loss.
>
> b) removed default gateway for router eth1 (thanks rodolfo paiz)
> c) edited /etc/hosts (thanks rodolfo paiz)
>
> d) flushed rules and reset, without the "-s !"
> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> # iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT
> # iptables -A FORWARD -d 192.168.0.0/16 -j ACCEPT
>
> e) checked it worked
> # iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
> ACCEPT all -- 192.168.0.0/16 anywhere
> ACCEPT all -- anywhere 192.168.0.0/16
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp any
> ACCEPT ipv6-crypt-- anywhere anywhere
> ACCEPT ipv6-auth-- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:http
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:https
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:ftp
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:ssh
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> f) restart nw
> # /etc/init.d/network restart
> Shutting down interface eth0: [ OK ]
> Shutting down interface eth1: [ OK ]
> Shutting down loopback interface: [ OK ]
> Disabling IPv4 packet forwarding: [ OK ]
> Setting network parameters: [ OK ]
> Bringing up loopback interface: [ OK ]
> Bringing up interface eth0: [ OK ]
> Bringing up interface eth1: [ OK ]
>
> Result: Still no luck with web browser from Host.
>
> anything else I should try?
> Or go straight to another tool, as others have suggested?
> Thanks to all other suggestions,
>
> Chris
>
> <original message>
> Subject: Re: nat masquerade router
> To: For users of Fedora Core releases <fedora-list at redhat.com>
> Message-ID: <1087321492.3543.75.camel at serendipity.dogma.lan>
> Content-Type: text/plain; charset="us-ascii"
>
> Am Di, den 15.06.2004 schrieb Michael Floyd um 19:29:
>
> > Well I see that your using a 24 bit subnet mask ( 255.255.255.0 ) not
> a 16
> > bit ( 255.255.0.0 )
> > It would be your firewall rules that are blocking you.....
>
> Right.
>
> > These two lines......
> > # iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT# iptables -A FORWARD
> > -d 192.168.0.0/16 -j ACCEPT
> > # iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP
> >
> > the ip's should be 192.168.1.0/24 not 192.168.0.0/16
> > the way it's writen, you drop everthing on your subnet.
>
> No :) That doesn't matter. 192.168.0.0/16 includes the 192.168.1.0/24
> net. He is just bit more permissive than it needs. But does no harm.
>
> What is causing the blocking is:
>
> iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP
>
> It drops all incoming traffic not being from the private address range.
> Thus packages from public internet are dropped.
>
> What you intend is better placed to the INPUT chain.
>
> > Michael Floyd
>
> Alexander
> </original message>
>
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
More information about the fedora-list
mailing list