Just a general remark.
When deploying a firewall, it is advisable to have (atleast for input, better for all) to have the general policy set to drop, and only allow in what you expect to be coming in. If you put a "-j log" line as a final line for each section, you'll see every packet you forgot about...
Now the default is "allow", and only doing some SNAT and DNAT rules...
hw
-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jerry Geis
Sent: Tuesday, May 11, 2010 12:10 AM
To: CentOS ML
Subject: [CentOS] setup firewall with 3 nic cards
I have a centos box with 3 nics. eth0 is internal, eth1 is T1 data and eth2 is cable data.
Everything is working on eth2 cable. External NAT is working just fine for eth2.
However external address 74.x.x.x on eth1 is not working.
Below is my iptables information.
I setup eth1 same as eth2 just a different IP address of course. What did I miss that
eth1 and NAT is not working?
Just looking for both public IP's incoming to NAT to the correct IP address. Only 1 is working at this time.
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.1.0/24 0.0.0.0/0 to:24.123.23.170
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2
74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
__________________________________________________ ____________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
05-21-2010, 07:54 PM
"James A. Peltier"
setup firewall with 3 nic cards
On Wed, 19 May 2010, J.Witvliet@mindef.nl wrote:
> Hi Jerry,
>
> Just a general remark.
> When deploying a firewall, it is advisable to have (atleast for input, better for all) to have the general policy set to drop, and only allow in what you expect to be coming in. If you put a "-j log" line as a final line for each section, you'll see every packet you forgot about...
>
> Now the default is "allow", and only doing some SNAT and DNAT rules...
>
> hw
And as a follow up remark, it would be advisable to have a network policy
in place that will help to define your rules. For example within a
university environment like mine, we allow everything in by default except
those services for which we want to explicitly block. Those that we want
to explicitly block are documented and we run tests to ensure that our
firewall is working as expected on a regular basis.
Define your "business rules" first and make your firewall rules follow
suit.
--
James A. Peltier
Systems Analyst (FASNet), VIVARIUM Technical Director
HPC Coordinator
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpeltier@sfu.ca
Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca
http://blogs.sfu.ca/people/jpeltier
MSN : subatomic_spam@hotmail.com
TEAMWORK
There's power in numbers. Learn to work together.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
setup firewall with 3 nic cards
