setup firewall with 3 nic cards
I am trying to setup some rules on a box with 3 nic cards. Two internet
connections and one office connection. eth0 is office eth1 is internet T1 eth2 is internet Cable when I do "iptables -F" then iptables -L everything is gone as it should be. Then I do iptables -t nat -A PREROUTING -p tcp -d $MYIP --dport 6550 -j DNAT --to $INTERNAL_ADDRESS:6550 iptables -t nat -A POSTROUTING -d $INTERNAL_ADDRESS -j SNAT --to $GWIP then I do iptables -L again and the rule is not there. Am I missing something? I have tried -I and -A both. Thanks, Jerry _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
setup firewall with 3 nic cards
On 8 May 2010 14:12, Jerry Geis <geisj@pagestation.com> wrote:
> then I do iptables -L again and the rule is not there. Am I missing > something? Try iptables -t nat -L, though you may want to use the -n option too. >From the iptables manpage[1]: "-L, --list [chain] List all rules in the selected chain. If no chain is selected, all chains are listed. As every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by iptables -t nat -n -L Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. The exact rules are suppressed until you use iptables -L -v" Ben [1] http://linux.die.net/man/8/iptables _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
setup firewall with 3 nic cards
Thanks for the "-t nat" suggetion.
How does someone debug iptables? Seems like the local eth0 is working , eth2 is working but connections on eth1 dont seem to go anywhere. How can I tell what is happening for eth1 and iptables? Thanks, Jerry _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
setup firewall with 3 nic cards
On Saturday 08 May 2010 14:46, Jerry Geis wrote:
> How does someone debug iptables? > Seems like the local eth0 is working , eth2 is working but connections > on eth1 dont seem to go anywhere. > How can I tell what is happening for eth1 and iptables? Maybe its your routing? Post both the firewall rules and your routing table. -- Regards Robert Linux User #296285 http://counter.li.org _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
setup firewall with 3 nic cards
On Sat, May 08, 2010 at 02:46:17PM -0400, Jerry Geis wrote:
> Thanks for the "-t nat" suggetion. > > How does someone debug iptables? > Seems like the local eth0 is working , eth2 is working but connections > on eth1 dont seem to go anywhere. > How can I tell what is happening for eth1 and iptables? Use iproute2 with fwmark rules. Then mix it with iptables `-j MARK' or use `-j ROUTE' instead of fwmark and `-j MARK'. -- Dominik Zyla _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
setup firewall with 3 nic cards
I have a centos box with 3 nics. eth0 is internal, eth1 is T1 data and eth2 is cable data.
Everything is working on eth2 cable. External NAT is working just fine for eth2. However external address 74.x.x.x on eth1 is not working. Below is my iptables information. I setup eth1 same as eth2 just a different IP address of course. What did I miss that eth1 and NAT is not working? Just looking for both public IP's incoming to NAT to the correct IP address. Only 1 is working at this time. Thanks, Jerry --------------- Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:22 to:192.168.1.209:22 DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:25 to:192.168.1.209:25 DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:80 to:192.168.1.209:80 DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:22 to:192.168.1.58:22 DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:25 to:192.168.1.58:25 DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:80 to:192.168.1.58:80 Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.1.0/24 0.0.0.0/0 to:24.123.23.170 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 Chain OUTPUT (policy ACCEPT) target prot opt source destination Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2 _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
setup firewall with 3 nic cards
On Mon, May 10, 2010 at 06:10:02PM -0400, Jerry Geis wrote:
> I have a centos box with 3 nics. eth0 is internal, eth1 is T1 data and eth2 is cable data. > Everything is working on eth2 cable. External NAT is working just fine for eth2. > However external address 74.x.x.x on eth1 is not working. > > Below is my iptables information. > > I setup eth1 same as eth2 just a different IP address of course. What did I miss that > eth1 and NAT is not working? > > Just looking for both public IP's incoming to NAT to the correct IP address. Only 1 is working at this time. > > > Thanks, > > Jerry > > --------------- > > Chain INPUT (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain RH-Firewall-1-INPUT (2 references) > target prot opt source destination > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 > ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 > REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited > > > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:22 to:192.168.1.209:22 > DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:25 to:192.168.1.209:25 > DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:80 to:192.168.1.209:80 > DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:22 to:192.168.1.58:22 > DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:25 to:192.168.1.58:25 > DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:80 to:192.168.1.58:80 > > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > SNAT all -- 192.168.1.0/24 0.0.0.0/0 to:24.123.23.170 > SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 > SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 > SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 > SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 > SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 > SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 > SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 > SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 > SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 > SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 > SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 > SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 > > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2 > 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1 > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 > 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2 You need to make source routing on 74.223.8.176 and eth1. Please, read this: http://linux-ip.net/html/adv-multi-internet.html -- Dominik Zyla _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
setup firewall with 3 nic cards
>
> You need to make source routing on 74.223.8.176 and eth1. Please, read > this: http://linux-ip.net/html/adv-multi-internet.html > > -- > Dominik Zyla I read through the document. I dont see what I have done wrong still. Do my routing rules not look correct from my previous post? Sorry I am not catching on. Thanks for your assistance. Jerry _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
setup firewall with 3 nic cards
On Tue, May 11, 2010 at 09:24:53AM -0400, Jerry Geis wrote:
> > > > You need to make source routing on 74.223.8.176 and eth1. Please, read > > this: http://linux-ip.net/html/adv-multi-internet.html > > > > -- > > Dominik Zyla > I read through the document. I dont see what I have done wrong still. > > Do my routing rules not look correct from my previous post? > > Sorry I am not catching on. Thanks for your assistance. Try to add iproute2 rules for eth1. You only paste iptables rules. -- Dominik Zyla _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
setup firewall with 3 nic cards
Dominik Zyla wrote:
>>> -- >>> Dominik Zyla >> I read through the document. I dont see what I have done wrong still. >> >> Do my routing rules not look correct from my previous post? >> >> Sorry I am not catching on. Thanks for your assistance. > > Try to add iproute2 rules for eth1. You only paste iptables rules. > Hi I saw this document yesterday and maybe helpful: http://www.shorewall.net/three-interface.htm You can install shorewall from EPEL repo. Regards mg. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
| All times are GMT. The time now is 06:51 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.