Re: set up NAT (network address translation) on local server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



--- On Thu, 11/20/08, Christopher K. Johnson <ckjohnson@xxxxxxx> wrote:

> From: Christopher K. Johnson <ckjohnson@xxxxxxx>
> Subject: Re: set up NAT (network address translation) on local server
> To: "Community assistance, encouragement, and advice for using Fedora." <fedora-list@xxxxxxxxxx>
> Date: Thursday, November 20, 2008, 5:52 AM
> Does /etc/sysconfig/iptables actually contain the lines
> 
> *nat                                                       
>      :PREROUTING ACCEPT [1:233]                             
>          :POSTROUTING ACCEPT [0:0]                          
>              :OUTPUT ACCEPT [0:0]                           
>                  -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j
> SNAT --to-source 10.154.19.210 COMMIT                       
>                   
It seems that it does not contain those lines :(

[root@localhost ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


where should I add those lines on top or below?
                       
> It seems unlikely that it was written correctly since the
> restart did not implement your SNAT rule, and this file is
> what a restart reads. Perhaps there is  a bug in
> iptables-save?  I edit /etc/sysconfig/iptables directly, and
> recommend that if you are not using some firewall front-end
> or tool to do this, that you do the same.
> 
> There is another problem in the rules you listed.  It would
> not prevent the SNAT rule from being implemented, so this is
> an unrelated problem.  But it would prevent the forwarding
> you wanted:
> 
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited    
>                -A FORWARD -i eth1 -o eth0 -j ACCEPT         
>                              -A FORWARD -i eth0 -o eth1 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> 
> Note that the REJECT is above your ACCEPT rules.  You need
> to move it below them because the REJECT is very general and
> will catch everything, preventing the ACCEPT rules from
> being applied.
> 
> -A FORWARD -i eth1 -o eth0 -j ACCEPT                       
>                -A FORWARD -i eth0 -o eth1 -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> 
> I presume from the addresses that this is natting one
> private network onto another private network.  So this last
> note is not critical as it would be if connecting onto the
> Internet.  Once you get this working as you intended, I
> recommend you alter or remove these rules too, depending on
> whether you wish people on the 10 network to have access to
> services on your server:
> 
> # Permit IPSEC peer communications.  Unless you are
> configuring IPSEC tunnels, you should comment these out.
> #-A RH-Firewall-1-INPUT -p esp -j ACCEPT
> #-A RH-Firewall-1-INPUT -p ah -j ACCEPT
> 
> # Permit hosts to announce themselves to the
> avahi-daemon's multicast dns service
> -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp
> --dport 5353 -j ACCEPT
> 
> # Permit connections to the CUPS service (successful
> connections may be governed by the CUPS config)
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> 
> # Permit access to the ssh server.  There is nothing wrong
> with that as long as you harden /etc/ssh/sshd_config
> # to be more restrictive. By default it allows password
> authentication of all users including root, and
> # other service accounts.
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp
> --dport 22 -j ACCEPT
> 
> 
> 
> Antonio Olivares wrote:
> > *nat                                                  
>           :PREROUTING ACCEPT [1:233]                        
>               :POSTROUTING ACCEPT [0:0]                     
>                   :OUTPUT ACCEPT [0:0]                      
>                       -A POSTROUTING -s 192.168.1.0/24 -o
> eth0 -j SNAT --to-source 10.154.19.210 COMMIT               
>                                                      #
> Completed on Thu Nov 20 06:52:04 2008                       
>             # Generated by iptables-save v1.4.1.1 on Thu Nov
> 20 06:52:04 2008          *filter                           
>                                         :INPUT ACCEPT [0:0] 
>                                                      
> :FORWARD ACCEPT [0:0]                                       
>               :OUTPUT ACCEPT [8:452]                        
>                             :RH-Firewall-1-INPUT - [0:0]    
>                                           -A INPUT -j
> RH-Firewall-1-INPUT                                         
>   -A FORWARD -j REJECT --reject-with icmp-host-prohibited   
>                 -A FORWARD -i eth1 -o eth0 -j ACCEPT        
>                               -A FORWARD -i eth0 -o eth1 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> > -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any
> -j ACCEPT
> > -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> > -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> > -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp
> --dport 5353 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j
> ACCEPT
> > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j
> ACCEPT
> > -A RH-Firewall-1-INPUT -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m
> tcp --dport 22 -j ACCEPT
> > -A RH-Firewall-1-INPUT -j REJECT --reject-with
> icmp-host-prohibited
> > COMMIT
> > # Completed on Thu Nov 20 06:52:04 2008
> >   
> 
> 
> --   "A society grows great when old men plant trees
> whose shade they know
>   they shall never sit in" - Greek Proverb
> 
> -- fedora-list mailing list

I will need to edit the file manually and save it.  Then try it again.

Regards,

Antonio 


      

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux