I'm not going to claim to be a guru, but I'll tell you what I use that is working for me. On my network, the equivalent server has two network interfaces, one for the internal network and one that connects to the Internet. The internet interface is eth1. The iptables command that I issued was: # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $PUBLIC
After that, you must have the appropriate forwarding and iptables enabled. # echo 1 > /proc/sys/net/ipv4/ip_forward You also need to enable the firewall to pass packets through. Those packets always traverse the FORWARD chain. It appears that you already have the appropriate commands to allow machines on the internal network to send outbound traffic and to accept state related traffic to come back in to the internal network. Stephen Gevers Ashley M. Kirchner wrote: > This is what happens when you try to replace an aging server with >a new one. I'm having to re-learn a bunch of stuff here. One of them >being iptables. The old system was setup using ipfwadm. Something that >long ago got replaced by ipchains and now by iptables. So I'm two >generations behind here. Urgh. > > Anyway, I can get iptables setup for the server itself (drop >everything, then filter whatever ports I want, blah blah blah). What I'm >having trouble with is the NAT-ing. I took someone else's script from the >web and tried to implement it but no matter what I do, it just don't work. >This is what my current iptables file looks like: > >[ NOTES: $PUBLIC = public IP of the system ] >[ 192.168.1.0/24 is the private network ] > ># Generated by iptables-save v1.2.5 on Sat Jul 6 14:09:07 2002 >*nat >:PREROUTING ACCEPT [81:9837] >:POSTROUTING ACCEPT [9:704] >:OUTPUT ACCEPT [9:704] >-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d ! 192.168.1.0/255.255.255.0 -j SNAT >--to-source $PUBLIC >COMMIT ># Completed on Sat Jul 6 14:09:07 2002 ># Generated by iptables-save v1.2.5 on Sat Jul 6 14:09:07 2002 >*filter >:INPUT DROP [114:14559] >:FORWARD ACCEPT [0:0] >:OUTPUT ACCEPT [10876:581488] >-A INPUT -i lo -j ACCEPT >-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT >-A INPUT -p tcp -m tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset >-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT >-A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT >-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT >-A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT >-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT >-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT >-A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT >-A FORWARD -d 192.168.1.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j >ACCEPT >-A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT >-A OUTPUT -o lo -j ACCEPT >COMMIT ># Completed on Sat Jul 6 14:09:07 2002 > > > I'm sure I just forgot something somewhere, but I can't figure out >what it is. I appreciate it if some guru can tell me where I went wrong >here. > > Thanks. > > > >_______________________________________________ >Redhat-list mailing list >[EMAIL PROTECTED] >https://listman.redhat.com/mailman/listinfo/redhat-list > > _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
