re nat masquerade router
jludwig
wralphie at comcast.net
Wed Jun 16 13:03:18 UTC 2004
On Tue, 2004-06-15 at 16:43, fedora wrote:
> >Just as a question: the # are just in your mail? Hope so!
>
> They are just in the mail, as I copied my commands from the console
>
> >Leave away line 2 and 3. Just use the POSTROUTING rule and none for
> >FORWARD, given that the FORWARD policy is set to accept.
>
> 1_ I flushed the Ruleset, > Enabled Firewall, added Trusted Services SSH
> FTP and HTTP (WWW). Should I have added "Trusted Devices of eth1" ?
> because I did not.
>
> 2_ then
> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> # iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp any
> ACCEPT ipv6-crypt-- anywhere anywhere
> ACCEPT ipv6-auth-- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:http
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:https
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:ftp
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:ssh
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> 3_
> # vi /etc/sysconfig/iptables
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
> >Question: how is your router connected to the internet? Try
> >echo 0 > /proc/sys/net/ipv4/tcp_ecn
>
> Doesn't echo anything, but when I vi it, there is "0"
>
> I connect by cable modem.
>
> Still cannot get Host to connect to Internet!
>
> >Have you tried the config file I sent you... (Erik Espinoza)
> Thanks Erik. No I have not tried that yet, but saved it to attempt later
> tonight.
>
> any other advice? perhaps I need to re-image the host? I just noticed
> the clock and rh applet disappear since I untarred a FC1 /home/user dir
> onto a user account on the FC2 Host... ?
>
> Thanks in advance
> Chris
1) I would also check resolv.conf for nameserver IP's and add eth1 as a
trusted device.
2) Check <cat /proc/sys/net/ipv4/ip_forward> should be 1, if not change
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
in /etc/sysctl.conf
3) Try <iptables -L -v -n> to see what rules are seeing packets and
where they are lost.
jludwig <wralphie at comcast.net>
More information about the fedora-list
mailing list