On Thu, 2004-02-05 at 17:25, Chithirai Selvan.R Alias Vimal thus hollered from the roof:
> this is my setup. i have redhat 9.0 > kernel 2.4.20-8 smp i686(firewall m/c) > gateway redhat 9.0(kernel 2.4.20-8) > > i have preconfigured DSL router ip addr-192.168.1.1 and two linux server connect in > loop > > 1 gateway server > 2. Firewall server > > gateway m/c is connect with DSL router it has 2 NIC card > > the first NIC card (eth1)ip-192.168.1.5 ------connected to DSL router ip add > 192.168.1.1 > > the second NIC card (eth0)ip-192.168.2.1 which is connectd with Firewall > again it also has 2 nic card > > eth0- 192.168.2.1 -connectd with eth0 of gateway m/c as i said earler > > eth1 - 192.168.10.1 this is connect with my all clients. > > i can ping from firewall server to both NIC cards of gateway machine not the > DSL router ..i tried with single m/c as intranet gateway which is working fine > > commands i tried is > > iptables -F -t nat > iptables -A POSTROUTING -t nat -o 192.168.1.5 -j MASQUERADE > iptables -A FORWARD -i 192.168.10.1 -j ACCEPT > > this setup is when i don t have firewall now i insert the firewall m/c trouble > startd Since nobody replied to the query,it seems the big guns who understand iptables are busy with Linux Asia so I will try answering the question. Again my oft mentioned quip holds true. If I am wrong then the person who corrects me is welcome to whack me on the head, albeit softly. Firstly would somebody please clarify this for me iptables -A POSTROUTING -t nat -o 192.168.1.5 -j MASQUERADE The -o is supposed to be the out interface and I used to think something like eth? but on trying out the above command just out of curiosity it worked fine so does this mean interface can also be specified using the ip???? Could not figure out from the man page. Somebody please help out here. Secondly to the query at hand To configure iptables if you are not familiar with all the options try out Shorewall. http://www.shorewall.net . This is just a front end for configuring iptables. I did not understand on which machine you tried the above iptables commands. Should be the firewall but then at the end you mention that this setup is when "I don't have a firewall now I insert firewall m/c" so this comment threw me off. But still from what little I understood about your setup and assuming both the firewall and gateway are connected. A small side note here from what you have written above both your gateway(eth1) and Firewall(eth0) have the same ip of 192.168.2.1!!!!!!!!! Is that just a typo or it is actually like that huh? Please assign unique ip's to them. Say make the firewall(eth0) 192.168.2.1/24 and the gateway (eth1) 192.168.2.2/24 Then try these entries on your iptables. I am assuming the net mask is 255.255.255.0 on all the three networks dot 1, dot 2 and dot 10. If not modify the commands accordingly On the firewall ---- iptables -t nat -F iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -d 0.0.0.0/0 -j MASQUERADE The above will masquerade anything coming from any machine on the dot 10 network (all clients) going anywhere. If you do not want to masquerade everything and only those destined for the dot 2 network (firewall-gateway) then modify 0.0.0.0/0 accordingly to 192.168.2.0/24 or something similar depends on your requirements. Alternatively if you want you can also modify the from (-s) to allow only incoming from some particular ip's. Again it is what you need. The above holds true for the nat table on the gateway also. Modify that too accordingly.But if I am not mistaken you want to access internet through this setup on the client pc's so I would suggest leaving it as 0.0.0.0/0. On the gateway ---- iptables -t nat -F iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE Now since you had used the -o option you can add that also to the above commands. In my limited knowledge "-o eth0" or "-o eth1" in the proper places. Lastly sorry all for the long mail. -- Arindam Dey The mind is not a vessel to be filled but a fire to be kindled. GPG FPR: B8E3 219E F129 F970 F4A7 BC50 9636 504A BEDF 5739 _______________________________________________ ilugd mailing list [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd
