Re: set up NAT (network address translation) on local server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



--- On Wed, 11/19/08, Christopher K. Johnson <ckjohnson@xxxxxxx> wrote:

> From: Christopher K. Johnson <ckjohnson@xxxxxxx>
> Subject: Re: set up NAT (network address translation) on local server
> To: "Community assistance, encouragement, and advice for using Fedora." <fedora-list@xxxxxxxxxx>
> Date: Wednesday, November 19, 2008, 4:00 PM
> No snat rule in effect!
> 
> Was the rule you provided in your original post verbatim? 
> Because it had 'a' instead of the public address. 
> In fact the rule seemed overly specific in other ways too.
> Here is what I have for a snat rule where the public
> (Internet) interface is eth1 (substitute your public ip
> address for a.b.c.d:
> 
> -A POSTROUTING -o eth1 -j SNAT --to-source a.b.c.d
> 
> Resulting in (again substituted a.b.c.d for the real public
> address):
> Chain POSTROUTING (policy ACCEPT 36819 packets, 4482K
> bytes)
> pkts bytes target     prot opt in     out     source       
>        destination        39065 2513K SNAT       all  --  * 
>     eth1    0.0.0.0/0            0.0.0.0/0          
> to:a.b.c.d
> 
> If your rule is correct, then you need to activate your
> iptables file rules by:
> service iptables restart
> 
> Chris
> >  pkts bytes target     prot opt in     out     source 
>              destination
> > 
> > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source 
>              destination
> >   
> 
> 
> --   "A society grows great when old men plant trees
> whose shade they know
>   they shall never sit in" - Greek Proverb
> 
> -- fedora-list mailing list

I have done the following: 

[olivares@localhost ~]$ su -
Password:                   
[root@localhost ~]# lsmod | grep ipta*
[root@localhost ~]# modprobe iptable_nat
[root@localhost ~]# iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
[root@localhost ~]# service dhcpd stop
Shutting down dhcpd:                                       [  OK  ]
[root@localhost ~]# service dhcpd start
Starting dhcpd:                                            [  OK  ]
[root@localhost ~]# service dhcpd stop                            
Shutting down dhcpd:                                       [  OK  ]
[root@localhost ~]# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT  
[root@localhost ~]# iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT                                                          
[root@localhost ~]# iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210
[root@localhost ~]# service dhcpd start
Starting dhcpd:                                            [  OK  ]
[root@localhost ~]# iptables -vnL -t nat                           
Chain PREROUTING (policy ACCEPT 186 packets, 24044 bytes)          
 pkts bytes target     prot opt in     out     source               destination                                                                                 

Chain POSTROUTING (policy ACCEPT 3 packets, 144 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                 
  108  6705 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0                                                                                  
    0     0 SNAT       all  --  *      eth0    192.168.1.0/24       0.0.0.0/0           to:10.154.19.210                                                        

Chain OUTPUT (policy ACCEPT 111 packets, 6849 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                 
[root@localhost ~]# service iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: nat filter      [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
iptables: Loading additional modules: ip_conntrack_netbios_[  OK  ]
[root@localhost ~]# iptables -vnL -t nat                       
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)            
 pkts bytes target     prot opt in     out     source               destination                                                                                 

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                 
[root@localhost ~]# service dhcpd stopShutting down dhcpd:                                       [  OK  ]
[root@localhost ~]# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT[root@localhost ~]# iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT                                                          
[root@localhost ~]# iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210                                                  
[root@localhost ~]# iptables -vnL -t natChain PREROUTING (policy ACCEPT 1 packets, 233 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                 

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                 
    0     0 SNAT       all  --  *      eth0    192.168.1.0/24       0.0.0.0/0           to:10.154.19.210                                                        

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                 
[root@localhost ~]# iptables-save 
# Generated by iptables-save v1.4.1.1 on Thu Nov 20 06:52:04 2008
*nat                                                             
:PREROUTING ACCEPT [1:233]                                       
:POSTROUTING ACCEPT [0:0]                                        
:OUTPUT ACCEPT [0:0]                                             
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210 
COMMIT                                                                     
# Completed on Thu Nov 20 06:52:04 2008                                    
# Generated by iptables-save v1.4.1.1 on Thu Nov 20 06:52:04 2008          
*filter                                                                    
:INPUT ACCEPT [0:0]                                                        
:FORWARD ACCEPT [0:0]                                                      
:OUTPUT ACCEPT [8:452]                                                     
:RH-Firewall-1-INPUT - [0:0]                                               
-A INPUT -j RH-Firewall-1-INPUT                                            
-A FORWARD -j REJECT --reject-with icmp-host-prohibited                    
-A FORWARD -i eth1 -o eth0 -j ACCEPT                                       
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Nov 20 06:52:04 2008
[root@localhost ~]# service iptables restartiptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: nat filter      [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
iptables: Loading additional modules: ip_conntrack_netbios_[  OK  ]
[root@localhost ~]#

[root@localhost ~]# service dhcpd start
Starting dhcpd:                                            [  OK  ]

But output changes again?  Do I need to add add iptables service?

[root@localhost ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
[root@localhost ~]#

I also checked iptable service running?: 
[root@localhost ~]# chkconfig iptables --list                                   
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off           
[root@localhost ~]# lsmod | grep iptable*                                       
iptable_nat             8712  0                                                 
nf_nat                 17944  1 iptable_nat   


Thanks,

Antonio 


      

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux