--- On Wed, 11/19/08, Christopher K. Johnson <ckjohnson@xxxxxxx> wrote:
> From: Christopher K. Johnson <ckjohnson@xxxxxxx>
> Subject: Re: set up NAT (network address translation) on local server
> To: "Community assistance, encouragement, and advice for using Fedora." <fedora-list@xxxxxxxxxx>
> Date: Wednesday, November 19, 2008, 4:00 PM
> No snat rule in effect!
>
> Was the rule you provided in your original post verbatim?
> Because it had 'a' instead of the public address.
> In fact the rule seemed overly specific in other ways too.
> Here is what I have for a snat rule where the public
> (Internet) interface is eth1 (substitute your public ip
> address for a.b.c.d:
>
> -A POSTROUTING -o eth1 -j SNAT --to-source a.b.c.d
>
> Resulting in (again substituted a.b.c.d for the real public
> address):
> Chain POSTROUTING (policy ACCEPT 36819 packets, 4482K
> bytes)
> pkts bytes target prot opt in out source
> destination 39065 2513K SNAT all -- *
> eth1 0.0.0.0/0 0.0.0.0/0
> to:a.b.c.d
>
> If your rule is correct, then you need to activate your
> iptables file rules by:
> service iptables restart
>
> Chris
> > pkts bytes target prot opt in out source
> destination
> >
> > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source
> destination
> >
>
>
> -- "A society grows great when old men plant trees
> whose shade they know
> they shall never sit in" - Greek Proverb
>
> -- fedora-list mailing list
I have done the following:
[olivares@localhost ~]$ su -
Password:
[root@localhost ~]# lsmod | grep ipta*
[root@localhost ~]# modprobe iptable_nat
[root@localhost ~]# iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
[root@localhost ~]# service dhcpd stop
Shutting down dhcpd: [ OK ]
[root@localhost ~]# service dhcpd start
Starting dhcpd: [ OK ]
[root@localhost ~]# service dhcpd stop
Shutting down dhcpd: [ OK ]
[root@localhost ~]# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
[root@localhost ~]# iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@localhost ~]# iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210
[root@localhost ~]# service dhcpd start
Starting dhcpd: [ OK ]
[root@localhost ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 186 packets, 24044 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3 packets, 144 bytes)
pkts bytes target prot opt in out source destination
108 6705 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 SNAT all -- * eth0 192.168.1.0/24 0.0.0.0/0 to:10.154.19.210
Chain OUTPUT (policy ACCEPT 111 packets, 6849 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: nat filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
iptables: Loading additional modules: ip_conntrack_netbios_[ OK ]
[root@localhost ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# service dhcpd stopShutting down dhcpd: [ OK ]
[root@localhost ~]# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT[root@localhost ~]# iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@localhost ~]# iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210
[root@localhost ~]# iptables -vnL -t natChain PREROUTING (policy ACCEPT 1 packets, 233 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * eth0 192.168.1.0/24 0.0.0.0/0 to:10.154.19.210
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.1.1 on Thu Nov 20 06:52:04 2008
*nat
:PREROUTING ACCEPT [1:233]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210
COMMIT
# Completed on Thu Nov 20 06:52:04 2008
# Generated by iptables-save v1.4.1.1 on Thu Nov 20 06:52:04 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8:452]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Nov 20 06:52:04 2008
[root@localhost ~]# service iptables restartiptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: nat filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
iptables: Loading additional modules: ip_conntrack_netbios_[ OK ]
[root@localhost ~]#
[root@localhost ~]# service dhcpd start
Starting dhcpd: [ OK ]
But output changes again? Do I need to add add iptables service?
[root@localhost ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]#
I also checked iptable service running?:
[root@localhost ~]# chkconfig iptables --list
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@localhost ~]# lsmod | grep iptable*
iptable_nat 8712 0
nf_nat 17944 1 iptable_nat
Thanks,
Antonio
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
