Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   setup firewall with 3 nic cards (http://www.linux-archive.org/centos/368146-setup-firewall-3-nic-cards.html)

Jerry Geis 05-08-2010 01:12 PM

setup firewall with 3 nic cards
 
I am trying to setup some rules on a box with 3 nic cards. Two internet
connections and one office connection.

eth0 is office
eth1 is internet T1
eth2 is internet Cable

when I do "iptables -F" then iptables -L everything is gone as it should be.

Then I do
iptables -t nat -A PREROUTING -p tcp -d $MYIP --dport 6550 -j DNAT --to
$INTERNAL_ADDRESS:6550
iptables -t nat -A POSTROUTING -d $INTERNAL_ADDRESS -j SNAT --to $GWIP

then I do iptables -L again and the rule is not there. Am I missing
something?
I have tried -I and -A both.

Thanks,

Jerry
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Benjamin Donnachie 05-08-2010 01:21 PM

setup firewall with 3 nic cards
 
On 8 May 2010 14:12, Jerry Geis <geisj@pagestation.com> wrote:
> then I do iptables -L again and the rule is not there. Am I missing
> something?

Try iptables -t nat -L, though you may want to use the -n option too.
>From the iptables manpage[1]:

"-L, --list [chain]
List all rules in the selected chain. If no chain is selected, all
chains are listed. As every other iptables command, it applies to the
specified table (filter is the default), so NAT rules get listed by
iptables -t nat -n -L

Please note that it is often used with the -n option, in order to
avoid long reverse DNS lookups. It is legal to specify the -Z (zero)
option as well, in which case the chain(s) will be atomically listed
and zeroed. The exact output is affected by the other arguments given.
The exact rules are suppressed until you use
iptables -L -v"

Ben

[1] http://linux.die.net/man/8/iptables
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Jerry Geis 05-08-2010 06:46 PM

setup firewall with 3 nic cards
 
Thanks for the "-t nat" suggetion.

How does someone debug iptables?
Seems like the local eth0 is working , eth2 is working but connections
on eth1 dont seem to go anywhere.
How can I tell what is happening for eth1 and iptables?

Thanks,

Jerry
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Robert Spangler 05-08-2010 09:45 PM

setup firewall with 3 nic cards
 
On Saturday 08 May 2010 14:46, Jerry Geis wrote:

> How does someone debug iptables?
> Seems like the local eth0 is working , eth2 is working but connections
> on eth1 dont seem to go anywhere.
> How can I tell what is happening for eth1 and iptables?

Maybe its your routing? Post both the firewall rules and your routing table.


--

Regards
Robert

Linux User #296285
http://counter.li.org
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Dominik Zyla 05-10-2010 04:25 PM

setup firewall with 3 nic cards
 
On Sat, May 08, 2010 at 02:46:17PM -0400, Jerry Geis wrote:
> Thanks for the "-t nat" suggetion.
>
> How does someone debug iptables?
> Seems like the local eth0 is working , eth2 is working but connections
> on eth1 dont seem to go anywhere.
> How can I tell what is happening for eth1 and iptables?

Use iproute2 with fwmark rules. Then mix it with iptables `-j MARK' or
use `-j ROUTE' instead of fwmark and `-j MARK'.

--
Dominik Zyla

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Jerry Geis 05-10-2010 10:10 PM

setup firewall with 3 nic cards
 
I have a centos box with 3 nics. eth0 is internal, eth1 is T1 data and eth2 is cable data.
Everything is working on eth2 cable. External NAT is working just fine for eth2.
However external address 74.x.x.x on eth1 is not working.

Below is my iptables information.

I setup eth1 same as eth2 just a different IP address of course. What did I miss that
eth1 and NAT is not working?

Just looking for both public IP's incoming to NAT to the correct IP address. Only 1 is working at this time.


Thanks,

Jerry

---------------

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited


Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:22 to:192.168.1.209:22
DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:25 to:192.168.1.209:25
DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:80 to:192.168.1.209:80
DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:22 to:192.168.1.58:22
DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:25 to:192.168.1.58:25
DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:80 to:192.168.1.58:80


Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.1.0/24 0.0.0.0/0 to:24.123.23.170
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1


Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2
74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Dominik Zyla 05-10-2010 10:27 PM

setup firewall with 3 nic cards
 
On Mon, May 10, 2010 at 06:10:02PM -0400, Jerry Geis wrote:
> I have a centos box with 3 nics. eth0 is internal, eth1 is T1 data and eth2 is cable data.
> Everything is working on eth2 cable. External NAT is working just fine for eth2.
> However external address 74.x.x.x on eth1 is not working.
>
> Below is my iptables information.
>
> I setup eth1 same as eth2 just a different IP address of course. What did I miss that
> eth1 and NAT is not working?
>
> Just looking for both public IP's incoming to NAT to the correct IP address. Only 1 is working at this time.
>
>
> Thanks,
>
> Jerry
>
> ---------------
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
> ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
>
>
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:22 to:192.168.1.209:22
> DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:25 to:192.168.1.209:25
> DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:80 to:192.168.1.209:80
> DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:22 to:192.168.1.58:22
> DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:25 to:192.168.1.58:25
> DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:80 to:192.168.1.58:80
>
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> SNAT all -- 192.168.1.0/24 0.0.0.0/0 to:24.123.23.170
> SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
> SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
>
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2
> 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
> 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2

You need to make source routing on 74.223.8.176 and eth1. Please, read
this: http://linux-ip.net/html/adv-multi-internet.html

--
Dominik Zyla

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Jerry Geis 05-11-2010 01:24 PM

setup firewall with 3 nic cards
 
>
> You need to make source routing on 74.223.8.176 and eth1. Please, read
> this: http://linux-ip.net/html/adv-multi-internet.html
>
> --
> Dominik Zyla
I read through the document. I dont see what I have done wrong still.

Do my routing rules not look correct from my previous post?

Sorry I am not catching on. Thanks for your assistance.

Jerry
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Dominik Zyla 05-11-2010 05:12 PM

setup firewall with 3 nic cards
 
On Tue, May 11, 2010 at 09:24:53AM -0400, Jerry Geis wrote:
> >
> > You need to make source routing on 74.223.8.176 and eth1. Please, read
> > this: http://linux-ip.net/html/adv-multi-internet.html
> >
> > --
> > Dominik Zyla
> I read through the document. I dont see what I have done wrong still.
>
> Do my routing rules not look correct from my previous post?
>
> Sorry I am not catching on. Thanks for your assistance.

Try to add iproute2 rules for eth1. You only paste iptables rules.

--
Dominik Zyla

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

"Marcelo M. Garcia" 05-12-2010 09:00 AM

setup firewall with 3 nic cards
 
Dominik Zyla wrote:
>>> --
>>> Dominik Zyla
>> I read through the document. I dont see what I have done wrong still.
>>
>> Do my routing rules not look correct from my previous post?
>>
>> Sorry I am not catching on. Thanks for your assistance.
>
> Try to add iproute2 rules for eth1. You only paste iptables rules.
>
Hi

I saw this document yesterday and maybe helpful:
http://www.shorewall.net/three-interface.htm

You can install shorewall from EPEL repo.

Regards

mg.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 06:23 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.