Have you tried the config file I sent you for /etc/sysconfig/iptables earlier? I tested it on my Fedora Core 2 box and confirmed that it works fine in Fedora. Erik On Tue, 15 Jun 2004 14:51:06 -0400, fedora <fedora@xxxxxxxxxxxxxxxxxxxxxx> wrote: > > Thanks for your help so far- > still no luck with the Host web browser. > > 1_ How should I enter that last -s !? > #"iptables -A INPUT -s ! 192.168.0.0/16 -j DROP " ...? > > 2_ Here's what I have done so far... > > a) the Host at 192.168.1.10 can ping the Router at 192.168.1.1 > successfully without packet loss. > > b) removed default gateway for router eth1 (thanks rodolfo paiz) > c) edited /etc/hosts (thanks rodolfo paiz) > > d) flushed rules and reset, without the "-s !" > # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > # iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT > # iptables -A FORWARD -d 192.168.0.0/16 -j ACCEPT > > e) checked it worked > # iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- anywhere anywhere > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- anywhere anywhere > ACCEPT all -- 192.168.0.0/16 anywhere > ACCEPT all -- anywhere 192.168.0.0/16 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain RH-Firewall-1-INPUT (2 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT icmp -- anywhere anywhere icmp any > ACCEPT ipv6-crypt-- anywhere anywhere > ACCEPT ipv6-auth-- anywhere anywhere > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:http > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:https > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:ftp > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:ssh > REJECT all -- anywhere anywhere reject-with > icmp-host-prohibited > > f) restart nw > # /etc/init.d/network restart > Shutting down interface eth0: [ OK ] > Shutting down interface eth1: [ OK ] > Shutting down loopback interface: [ OK ] > Disabling IPv4 packet forwarding: [ OK ] > Setting network parameters: [ OK ] > Bringing up loopback interface: [ OK ] > Bringing up interface eth0: [ OK ] > Bringing up interface eth1: [ OK ] > > Result: Still no luck with web browser from Host. > > anything else I should try? > Or go straight to another tool, as others have suggested? > Thanks to all other suggestions, > > Chris > > <original message> > Subject: Re: nat masquerade router > To: For users of Fedora Core releases <fedora-list@xxxxxxxxxx> > Message-ID: <1087321492.3543.75.camel@xxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset="us-ascii" > > Am Di, den 15.06.2004 schrieb Michael Floyd um 19:29: > > > Well I see that your using a 24 bit subnet mask ( 255.255.255.0 ) not > a 16 > > bit ( 255.255.0.0 ) > > It would be your firewall rules that are blocking you..... > > Right. > > > These two lines...... > > # iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT# iptables -A FORWARD > > -d 192.168.0.0/16 -j ACCEPT > > # iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP > > > > the ip's should be 192.168.1.0/24 not 192.168.0.0/16 > > the way it's writen, you drop everthing on your subnet. > > No :) That doesn't matter. 192.168.0.0/16 includes the 192.168.1.0/24 > net. He is just bit more permissive than it needs. But does no harm. > > What is causing the blocking is: > > iptables -A FORWARD -s ! 192.168.0.0/16 -j DROP > > It drops all incoming traffic not being from the private address range. > Thus packages from public internet are dropped. > > What you intend is better placed to the INPUT chain. > > > Michael Floyd > > Alexander > </original message> > > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list >
