[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: set up NAT (network address translation) on local server



Does /etc/sysconfig/iptables actually contain the lines

*nat :PREROUTING ACCEPT [1:233] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210 COMMIT It seems unlikely that it was written correctly since the restart did not implement your SNAT rule, and this file is what a restart reads. Perhaps there is a bug in iptables-save? I edit /etc/sysconfig/iptables directly, and recommend that if you are not using some firewall front-end or tool to do this, that you do the same.

There is another problem in the rules you listed. It would not prevent the SNAT rule from being implemented, so this is an unrelated problem. But it would prevent the forwarding you wanted:

-A FORWARD -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i eth1 -o eth0 -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

Note that the REJECT is above your ACCEPT rules. You need to move it below them because the REJECT is very general and will catch everything, preventing the ACCEPT rules from being applied.

-A FORWARD -i eth1 -o eth0 -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

I presume from the addresses that this is natting one private network onto another private network. So this last note is not critical as it would be if connecting onto the Internet. Once you get this working as you intended, I recommend you alter or remove these rules too, depending on whether you wish people on the 10 network to have access to services on your server:

# Permit IPSEC peer communications.  Unless you are configuring IPSEC tunnels, you should comment these out.
#-A RH-Firewall-1-INPUT -p esp -j ACCEPT
#-A RH-Firewall-1-INPUT -p ah -j ACCEPT

# Permit hosts to announce themselves to the avahi-daemon's multicast dns service
-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT

# Permit connections to the CUPS service (successful connections may be governed by the CUPS config)
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

# Permit access to the ssh server.  There is nothing wrong with that as long as you harden /etc/ssh/sshd_config
# to be more restrictive. By default it allows password authentication of all users including root, and
# other service accounts.
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT



Antonio Olivares wrote:
*nat :PREROUTING ACCEPT [1:233] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210 COMMIT # Completed on Thu Nov 20 06:52:04 2008 # Generated by iptables-save v1.4.1.1 on Thu Nov 20 06:52:04 2008 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [8:452] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i eth1 -o eth0 -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Nov 20 06:52:04 2008


--
  "A society grows great when old men plant trees whose shade they know
  they shall never sit in" - Greek Proverb


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]