Hi Arindam, I noticed ur query today only.
I assume that you are trying to run Internet from a PC/LAN connected to another multihomed PC connected to both ur ISP and local Lan. Attached is a script file firewall.tar.zip which will solve ur problem. There contains two files... rc.firewall and init/firewall You need to edit the rc.firewall file by looking for EXTIP and INTIP varibles and change their values to what u are having for ur network. And thats it.. The file will provide you pretty secure firewall along with NAT supported LAN. The second step is to copy the file rc.firewall to /etc/rc.d/ and the init/firewall to /etc/rc.d/init.d/ The last step is to enable the service firewall using "chkconfig -add" command. Now you should start the firewall by using "service firewall start". This firewall script will automatically start as service when you will boot next time. I hope this will solve ur problems. Enjoy:) MKG ----- Original Message ----- From: "Arindam Dey" <[EMAIL PROTECTED]> To: "The Linux-Delhi Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, February 10, 2004 12:24 PM Subject: Re: [SPAM] [ilugd] IP ROUTING - IP MASQUREDINg > On Thu, 2004-02-05 at 17:25, Chithirai Selvan.R Alias Vimal thus > hollered from the roof: > > > this is my setup. i have redhat 9.0 > > kernel 2.4.20-8 smp i686(firewall m/c) > > gateway redhat 9.0(kernel 2.4.20-8) > > > > i have preconfigured DSL router ip addr-192.168.1.1 and two linux server connect in loop > > > > 1 gateway server > > 2. Firewall server > > > > gateway m/c is connect with DSL router it has 2 NIC card > > > > the first NIC card (eth1)ip-192.168.1.5 ------connected to DSL router ip add > > 192.168.1.1 > > > > the second NIC card (eth0)ip-192.168.2.1 which is connectd with Firewall > > again it also has 2 nic card > > > > eth0- 192.168.2.1 -connectd with eth0 of gateway m/c as i said earler > > > > eth1 - 192.168.10.1 this is connect with my all clients. > > > > i can ping from firewall server to both NIC cards of gateway machine not the > > DSL router ..i tried with single m/c as intranet gateway which is working fine > > > > commands i tried is > > > > iptables -F -t nat > > iptables -A POSTROUTING -t nat -o 192.168.1.5 -j MASQUERADE > > iptables -A FORWARD -i 192.168.10.1 -j ACCEPT > > > > this setup is when i don t have firewall now i insert the firewall m/c trouble startd > > Since nobody replied to the query,it seems the big guns who understand > iptables are busy with Linux Asia so I will try answering the question. > Again my oft mentioned quip holds true. If I am wrong then the person > who corrects me is welcome to whack me on the head, albeit softly. > > Firstly would somebody please clarify this for me > iptables -A POSTROUTING -t nat -o 192.168.1.5 -j MASQUERADE > > The -o is supposed to be the out interface and I used to think something > like eth? but on trying out the above command just out of curiosity it > worked fine so does this mean interface can also be specified using the > ip???? Could not figure out from the man page. Somebody please help out > here. > > Secondly to the query at hand > > To configure iptables if you are not familiar with all the options try > out Shorewall. http://www.shorewall.net . This is just a front end for > configuring iptables. > > I did not understand on which machine you tried the above iptables > commands. Should be the firewall but then at the end you mention that > this setup is when "I don't have a firewall now I insert firewall m/c" > so this comment threw me off. But still from what little I understood > about your setup and assuming both the firewall and gateway are > connected. > > A small side note here from what you have written above both your > gateway(eth1) and Firewall(eth0) have the same ip of > 192.168.2.1!!!!!!!!! Is that just a typo or it is actually like that > huh? Please assign unique ip's to them. Say make the firewall(eth0) > 192.168.2.1/24 and the gateway (eth1) 192.168.2.2/24 > > Then try these entries on your iptables. I am assuming the net mask is > 255.255.255.0 on all the three networks dot 1, dot 2 and dot 10. If not > modify the commands accordingly > > On the firewall ---- > > iptables -t nat -F > iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -d 0.0.0.0/0 -j > MASQUERADE > > The above will masquerade anything coming from any machine on the dot 10 > network (all clients) going anywhere. If you do not want to masquerade > everything and only those destined for the dot 2 network > (firewall-gateway) then modify 0.0.0.0/0 accordingly to 192.168.2.0/24 > or something similar depends on your requirements. Alternatively if you > want you can also modify the from (-s) to allow only incoming from some > particular ip's. Again it is what you need. > > The above holds true for the nat table on the gateway also. Modify that > too accordingly.But if I am not mistaken you want to access internet > through this setup on the client pc's so I would suggest leaving it as > 0.0.0.0/0. > > On the gateway ---- > > iptables -t nat -F > iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 0.0.0.0/0 -j > MASQUERADE > > Now since you had used the -o option you can add that also to the above > commands. In my limited knowledge "-o eth0" or "-o eth1" in the proper > places. > > Lastly sorry all for the long mail. > > -- > Arindam Dey > > The mind is not a vessel to be > filled but a fire to be kindled. > > GPG FPR: B8E3 219E F129 F970 F4A7 BC50 9636 504A BEDF 5739 > > > _______________________________________________ > ilugd mailing list > [EMAIL PROTECTED] > http://frodo.hserus.net/mailman/listinfo/ilugd > > >
_______________________________________________ ilugd mailing list [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd
