subject:"Re\: set up NAT \(network address translation\) on local server"

Re: set up NAT (network address translation) on local server

2008-11-24 Thread Bill Davidsen


Tim wrote:

On Fri, 2008-11-21 at 10:17 -0800, Rick Stevens wrote:

In /etc/sysconfig/iptables-config, if you change the following lines
to these:

IPTABLES_SAVE_ON_STOP = "yes"
IPTABLES_SAVE_ON_RESTART = "yes"

(by default they're set to "no"), you will cause the system to run

iptables-save >/etc/sysconfig/iptables

when "system iptables stop|restart" is run ("restart" is really a
"stop" followed by a "start").  This will save any changes made to the
running rules by the iptables command before iptables is actually
stopped.


I'm curious why the rules aren't saved when you set them.  Surely that's
the time to commit them to file?  Not when starting/stopping/restarting
the iptables service.


No, the time to save them is after you test your changes and they work.

--
Bill Davidsen <[EMAIL PROTECTED]>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: set up NAT (network address translation) on local server

2008-11-24 Thread Tim

On Fri, 2008-11-21 at 10:17 -0800, Rick Stevens wrote:
> In /etc/sysconfig/iptables-config, if you change the following lines
> to these:
> 
> IPTABLES_SAVE_ON_STOP = "yes"
> IPTABLES_SAVE_ON_RESTART = "yes"
> 
> (by default they're set to "no"), you will cause the system to run
> 
> iptables-save >/etc/sysconfig/iptables
> 
> when "system iptables stop|restart" is run ("restart" is really a
> "stop" followed by a "start").  This will save any changes made to the
> running rules by the iptables command before iptables is actually
> stopped.

I'm curious why the rules aren't saved when you set them.  Surely that's
the time to commit them to file?  Not when starting/stopping/restarting
the iptables service.

-- 
[EMAIL PROTECTED] ~]$ uname -r
2.6.27.5-41.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.



-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: set up NAT (network address translation) on local server

2008-11-21 Thread Rick Stevens


Robin Laing wrote:

Antonio Olivares wrote:

--- On Thu, 11/20/08, Christopher K. Johnson <[EMAIL PROTECTED]> wrote:


From: Christopher K. Johnson <[EMAIL PROTECTED]>
Subject: Re: set up NAT (network address translation) on local server
To: "Community assistance, encouragement, and advice for using 
Fedora." 

Date: Thursday, November 20, 2008, 10:27 AM
It appears from your email that there was an editing error
at the COMMIT or line after.
Perhaps instead of a line-end on those lines it has spaces
and wrapped them into one long line?
Could happen from copy and paste depending on
circumstances.
Check that each rule is on its own line.



I reset the iptables back to the original condition and added them, 
but still no joy :(



[EMAIL PROTECTED] ~]# gedit /etc/sysconfig/iptables &[1] 
8516   
[EMAIL PROTECTED] ~]# service iptables stop

iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
[EMAIL PROTECTED] ~]# service iptables restart
iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
iptables: Applying firewall rules: Bad argument `iptables' 
Error occurred at line: 2  Try 
`iptables-restore -h' or 'iptables-restore --help' for more information.
   
[FAILED] [EMAIL PROTECTED] ~]# service iptables stop

iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: nat filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
[EMAIL PROTECTED] ~]# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT 
[1]+  Donegedit /etc/sysconfig/iptables   
[EMAIL PROTECTED] ~]# iptables -A FORWARD -i eth0 -o eth1 -m state 
--state ESTABLISHED,RELATED -j 
ACCEPT  
[EMAIL PROTECTED] ~]# iptables -A POSTROUTING -t nat -s 192.168.1.0/24 
-o eth0 -j SNAT --to-source 
10.154.19.210  [EMAIL PROTECTED] 
~]# iptables-save

# Generated by iptables-save v1.4.1.1 on Thu Nov 20 13:14:50 2008
*nat 
:PREROUTING ACCEPT [5:692]   
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] -A 
POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 
10.154.19.210 
COMMIT 
# Completed on Thu Nov 20 13:14:50 
2008# Generated by iptables-save 
v1.4.1.1 on Thu Nov 20 13:14:50 2008  
*filter
:INPUT ACCEPT 
[2483:1813687]   :FORWARD 
ACCEPT [0:0]  
:OUTPUT ACCEPT 
[2598:1049836]  -A FORWARD 
-i eth1 -o eth0 -j ACCEPT   -A 
FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j 
ACCEPT  
COMMIT 
# Completed on Thu Nov 20 13:14:50 
2008[EMAIL PROTECTED] ~]# service 
iptables restart

iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: nat filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
iptables: Applying firewall rules: [  OK  ]
iptables: Loading additional modules: ip_conntrack_netbios_[  OK  ]
[EMAIL PROTECTED] ~]# service dhcpd start
Starting dhcpd:[  OK  ]

[EMAIL PROTECTED] ~]#

The iptables get back to original state.  error in iptables-save ?/bug
[EMAIL PROTECTED] ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1

Re: set up NAT (network address translation) on local server

2008-11-21 Thread Robin Laing

Antonio Olivares wrote:

--- On Thu, 11/20/08, Christopher K. Johnson <[EMAIL PROTECTED]> wrote:

From: Christopher K. Johnson <[EMAIL PROTECTED]>
Subject: Re: set up NAT (network address translation) on local server
To: "Community assistance, encouragement, and advice for using Fedora." 

Date: Thursday, November 20, 2008, 10:27 AM
It appears from your email that there was an editing error
at the COMMIT or line after.
Perhaps instead of a line-end on those lines it has spaces
and wrapped them into one long line?
Could happen from copy and paste depending on
circumstances.
Check that each rule is on its own line.

I reset the iptables back to the original condition and added them, but still 
no joy :(

[EMAIL PROTECTED] ~]# gedit /etc/sysconfig/iptables &
[1] 8516   
[EMAIL PROTECTED] ~]# service iptables stop

iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
[EMAIL PROTECTED] ~]# service iptables restart
iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
iptables: Applying firewall rules: Bad argument `iptables' 
Error occurred at line: 2  
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
   [FAILED] 
[EMAIL PROTECTED] ~]# service iptables stop

iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: nat filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
[EMAIL PROTECTED] ~]# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT [1]+  Donegedit /etc/sysconfig/iptables   
[EMAIL PROTECTED] ~]# iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT  
[EMAIL PROTECTED] ~]# iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210  
[EMAIL PROTECTED] ~]# iptables-save

# Generated by iptables-save v1.4.1.1 on Thu Nov 20 13:14:50 2008
*nat 
:PREROUTING ACCEPT [5:692]   
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] 
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210 
COMMIT 
# Completed on Thu Nov 20 13:14:50 2008
# Generated by iptables-save v1.4.1.1 on Thu Nov 20 13:14:50 2008  
*filter
:INPUT ACCEPT [2483:1813687]   
:FORWARD ACCEPT [0:0]  
:OUTPUT ACCEPT [2598:1049836]  
-A FORWARD -i eth1 -o eth0 -j ACCEPT   
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT  
COMMIT 
# Completed on Thu Nov 20 13:14:50 2008
[EMAIL PROTECTED] ~]# service iptables restart

iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: nat filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
iptables: Applying firewall rules: [  OK  ]
iptables: Loading additional modules: ip_conntrack_netbios_[  OK  ]
[EMAIL PROTECTED] ~]# service dhcpd start
Starting dhcpd:[  OK  ]

[EMAIL PROTECTED] ~]#

The iptables get back to original state.  error in iptables-save ?/bug 

[EMAIL PROTECTED] ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABL

Re: set up NAT (network address translation) on local server

2008-11-20 Thread Marko Vojinovic

On Thursday 20 November 2008 13:52, Christopher K. Johnson wrote:
> Does /etc/sysconfig/iptables actually contain the lines
>
> *nat
>
> :PREROUTING ACCEPT [1:233]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
>
> -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210
> COMMIT
>
> It seems unlikely that it was written correctly since the restart did
> not implement your SNAT rule, and this file is what a restart reads.
> Perhaps there is  a bug in iptables-save?  I edit
> /etc/sysconfig/iptables directly, and recommend that if you are not
> using some firewall front-end or tool to do this, that you do the same.

:-)

I am not that much pro for iptables as for dhcp --- in fact, I gave up on 
learning iptables syntax a long time ago and rely on guis for configuration 
--- but wouldn't it be much much easier for the OP to set up nat using, say, 
firestarter?

First "yum install firestarter". Then run it and answer the questions that 
wizard asks. Activate NAT options, do not touch dhcp options (this is already 
configured). The eth1 device is the local network, while eth0 is the uplink 
to outside. I don't have two network cards here now so I cannot repeat exact 
steps, but it should be trivial in a sense.

HTH, :-)
Marko





-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: set up NAT (network address translation) on local server

2008-11-20 Thread Christopher K. Johnson


Tim wrote:

On Thu, 2008-11-20 at 07:46 -0800, Antonio Olivares wrote:
  
[EMAIL PROTECTED] ~]# cat /etc/sysconfig/iptables 
*nat
:PREROUTING ACCEPT [1:233]  
:POSTROUTING ACCEPT [0:0]   
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210  
COMMIT  
-A FORWARD -i eth1 -o eth0 -j ACCEPT  -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# manually added the changes 2008/11/20 
# Firewall configuration written by system-config-securitylevel 
# Manual customization of this file is not recommended.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT



Shouldn't there be ONLY one "COMMIT" command at the end of the file?
You've got two.

  
No, there should be one COMMIT for each table, and he has *nat and 
*filter tables.


--
  "A society grows great when old men plant trees whose shade they know
  they shall never sit in" - Greek Proverb

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: set up NAT (network address translation) on local server

2008-11-20 Thread Tim

On Thu, 2008-11-20 at 07:46 -0800, Antonio Olivares wrote:
> [EMAIL PROTECTED] ~]# cat /etc/sysconfig/iptables 
> *nat
> :PREROUTING ACCEPT [1:233]  
> :POSTROUTING ACCEPT [0:0]   
> :OUTPUT ACCEPT [0:0]
> -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210  
> COMMIT  
> -A FORWARD -i eth1 -o eth0 -j ACCEPT  -A FORWARD -i eth0 -o eth1 -m state 
> --state RELATED,ESTABLISHED -j ACCEPT
> # manually added the changes 2008/11/20   
>   
> # Firewall configuration written by system-config-securitylevel   
>   
> # Manual customization of this file is not recommended.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT

Shouldn't there be ONLY one "COMMIT" command at the end of the file?
You've got two.

-- 
[EMAIL PROTECTED] ~]$ uname -r
2.6.27.5-41.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.



-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: set up NAT (network address translation) on local server

2008-11-20 Thread Christopher K. Johnson

If you send me off-list the iptables file you want as an attachment, I 
will send you back notes and a corrected file.


Clearly there is some simple mis-communication or editing going on 
because this is a basic iptables configuration.


Chris

--
  "A society grows great when old men plant trees whose shade they know
  they shall never sit in" - Greek Proverb

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: set up NAT (network address translation) on local server

2008-11-20 Thread Antonio Olivares

--- On Thu, 11/20/08, Christopher K. Johnson <[EMAIL PROTECTED]> wrote:

> From: Christopher K. Johnson <[EMAIL PROTECTED]>
> Subject: Re: set up NAT (network address translation) on local server
> To: "Community assistance, encouragement, and advice for using Fedora." 
> 
> Date: Thursday, November 20, 2008, 10:27 AM
> It appears from your email that there was an editing error
> at the COMMIT or line after.
> Perhaps instead of a line-end on those lines it has spaces
> and wrapped them into one long line?
> Could happen from copy and paste depending on
> circumstances.
> Check that each rule is on its own line.
> 

I reset the iptables back to the original condition and added them, but still 
no joy :(

[EMAIL PROTECTED] ~]# gedit /etc/sysconfig/iptables &
[1] 8516   
[EMAIL PROTECTED] ~]# service iptables stop
iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
[EMAIL PROTECTED] ~]# service iptables restart
iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
iptables: Applying firewall rules: Bad argument `iptables' 
Error occurred at line: 2  
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
   [FAILED] 
[EMAIL PROTECTED] ~]# service iptables stop
iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: nat filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
[EMAIL PROTECTED] ~]# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT [1]+  Done  
  gedit /etc/sysconfig/iptables   
[EMAIL PROTECTED] ~]# iptables -A FORWARD -i eth0 -o eth1 -m state --state 
ESTABLISHED,RELATED -j ACCEPT   

[EMAIL PROTECTED] ~]# iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth0 
-j SNAT --to-source 10.154.19.210  
[EMAIL PROTECTED] ~]# iptables-save
# Generated by iptables-save v1.4.1.1 on Thu Nov 20 13:14:50 2008
*nat 
:PREROUTING ACCEPT [5:692]   
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] 
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210 
COMMIT 
# Completed on Thu Nov 20 13:14:50 2008
# Generated by iptables-save v1.4.1.1 on Thu Nov 20 13:14:50 2008  
*filter
:INPUT ACCEPT [2483:1813687]   
:FORWARD ACCEPT [0:0]  
:OUTPUT ACCEPT [2598:1049836]  
-A FORWARD -i eth1 -o eth0 -j ACCEPT   
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT  
COMMIT 
# Completed on Thu Nov 20 13:14:50 2008
[EMAIL PROTECTED] ~]# service iptables restart
iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: nat filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
iptables: Applying firewall rules: [  OK  ]
iptables: Loading additional modules: ip_conntrack_netbios_[  OK  ]
[EMAIL PROTECTED] ~]# service dhcpd start
Starting dhcpd:[  OK  ]
[EMAIL PROTECTED] ~]#

The iptables get back to original state.  error in iptables-save ?/bug 

[EMAIL PROTECTED] ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Fire

Re: set up NAT (network address translation) on local server

2008-11-20 Thread Christopher K. Johnson

It appears from your email that there was an editing error at the COMMIT 
or line after.
Perhaps instead of a line-end on those lines it has spaces and wrapped 
them into one long line?

Could happen from copy and paste depending on circumstances.
Check that each rule is on its own line.

Antonio Olivares wrote:

How can I fix this?
I manually edited the file and I stopped service and now I get :

[EMAIL PROTECTED] ~]# gedit /etc/sysconfig/iptables &
[1] 7697   
[EMAIL PROTECTED] ~]# service iptables stop

iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: nat filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
[1]+  Donegedit /etc/sysconfig/iptables
[EMAIL PROTECTED] ~]# service iptables restart

iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
iptables: Applying firewall rules: Bad argument `COMMIT'   
Error occurred at line: 6  
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
   [FAILED] 
[EMAIL PROTECTED] ~]# cat /etc/sysconfig/iptables 
*nat
:PREROUTING ACCEPT [1:233]  
:POSTROUTING ACCEPT [0:0]   
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210  
COMMIT  
-A FORWARD -i eth1 -o eth0 -j ACCEPT   -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# manually added the changes 2008/11/20 
# Firewall configuration written by system-config-securitylevel 
# Manual customization of this file is not recommended.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[EMAIL PROTECTED] ~]#

Thanks,

Antonio 



  

  



--
  "A society grows great when old men plant trees whose shade they know
  they shall never sit in" - Greek Proverb

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: set up NAT (network address translation) on local server

2008-11-20 Thread Antonio Olivares

--- On Thu, 11/20/08, Christopher K. Johnson <[EMAIL PROTECTED]> wrote:

> From: Christopher K. Johnson <[EMAIL PROTECTED]>
> Subject: Re: set up NAT (network address translation) on local server
> To: [EMAIL PROTECTED], "Community assistance, encouragement, and advice for 
> using Fedora." 
> Date: Thursday, November 20, 2008, 7:28 AM
> I would add the *nat through COMMIT before the existing
> *filter line.
> 
> I don't believe it matters as long as you do not mix
> them together.  But usually the *nat is much briefer than
> *filter, thus a good convention to put it first to find
> easily later.
> 
> Antonio Olivares wrote:
> > It seems that it does not contain those lines :(
> > 
> >   I will need to edit the file manually and save it. 
> Then try it again.
> > 
> > Regards,
> > 
> > Antonio   
> 
> 
> --   "A society grows great when old men plant trees
> whose shade they know
>   they shall never sit in" - Greek Proverb

How can I fix this?
I manually edited the file and I stopped service and now I get :

[EMAIL PROTECTED] ~]# gedit /etc/sysconfig/iptables &
[1] 7697   
[EMAIL PROTECTED] ~]# service iptables stop
iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: nat filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
[1]+  Donegedit /etc/sysconfig/iptables
[EMAIL PROTECTED] ~]# service iptables restart
iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
iptables: Applying firewall rules: Bad argument `COMMIT'   
Error occurred at line: 6  
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
   [FAILED] 
[EMAIL PROTECTED] ~]# cat /etc/sysconfig/iptables 
*nat
:PREROUTING ACCEPT [1:233]  
:POSTROUTING ACCEPT [0:0]   
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210  
COMMIT  
-A FORWARD -i eth1 -o eth0 -j ACCEPT   -A 
FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT  
  
# manually added the changes 2008/11/20 
# Firewall configuration written by system-config-securitylevel 
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[EMAIL PROTECTED] ~]#

Thanks,

Antonio 


  

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: set up NAT (network address translation) on local server

2008-11-20 Thread Christopher K. Johnson


I would add the *nat through COMMIT before the existing *filter line.

I don't believe it matters as long as you do not mix them together.  But 
usually the *nat is much briefer than *filter, thus a good convention to 
put it first to find easily later.


Antonio Olivares wrote:

It seems that it does not contain those lines :(

  
I will need to edit the file manually and save it.  Then try it again.


Regards,

Antonio 
  



--
  "A society grows great when old men plant trees whose shade they know
  they shall never sit in" - Greek Proverb

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: set up NAT (network address translation) on local server

2008-11-20 Thread Antonio Olivares

--- On Thu, 11/20/08, Christopher K. Johnson <[EMAIL PROTECTED]> wrote:

> From: Christopher K. Johnson <[EMAIL PROTECTED]>
> Subject: Re: set up NAT (network address translation) on local server
> To: "Community assistance, encouragement, and advice for using Fedora." 
> 
> Date: Thursday, November 20, 2008, 5:52 AM
> Does /etc/sysconfig/iptables actually contain the lines
> 
> *nat   
>  :PREROUTING ACCEPT [1:233] 
>  :POSTROUTING ACCEPT [0:0]  
>  :OUTPUT ACCEPT [0:0]   
>  -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j
> SNAT --to-source 10.154.19.210 COMMIT   
>   
It seems that it does not contain those lines :(

[EMAIL PROTECTED] ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


where should I add those lines on top or below?
   
> It seems unlikely that it was written correctly since the
> restart did not implement your SNAT rule, and this file is
> what a restart reads. Perhaps there is  a bug in
> iptables-save?  I edit /etc/sysconfig/iptables directly, and
> recommend that if you are not using some firewall front-end
> or tool to do this, that you do the same.
> 
> There is another problem in the rules you listed.  It would
> not prevent the SNAT rule from being implemented, so this is
> an unrelated problem.  But it would prevent the forwarding
> you wanted:
> 
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>-A FORWARD -i eth1 -o eth0 -j ACCEPT 
>  -A FORWARD -i eth0 -o eth1 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> 
> Note that the REJECT is above your ACCEPT rules.  You need
> to move it below them because the REJECT is very general and
> will catch everything, preventing the ACCEPT rules from
> being applied.
> 
> -A FORWARD -i eth1 -o eth0 -j ACCEPT   
>-A FORWARD -i eth0 -o eth1 -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> 
> I presume from the addresses that this is natting one
> private network onto another private network.  So this last
> note is not critical as it would be if connecting onto the
> Internet.  Once you get this working as you intended, I
> recommend you alter or remove these rules too, depending on
> whether you wish people on the 10 network to have access to
> services on your server:
> 
> # Permit IPSEC peer communications.  Unless you are
> configuring IPSEC tunnels, you should comment these out.
> #-A RH-Firewall-1-INPUT -p esp -j ACCEPT
> #-A RH-Firewall-1-INPUT -p ah -j ACCEPT
> 
> # Permit hosts to announce themselves to the
> avahi-daemon's multicast dns service
> -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp
> --dport 5353 -j ACCEPT
> 
> # Permit connections to the CUPS service (successful
> connections may be governed by the CUPS config)
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> 
> # Permit access to the ssh server.  There is nothing wrong
> with that as long as you harden /etc/ssh/sshd_config
> # to be more restrictive. By default it allows password
> authentication of all users including root, and
> # other service accounts.
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp
> --dport 22 -j ACCEPT
> 
> 
> 
> Antonio Olivares wrote:
> > *nat  
>   :PREROUTING ACCEPT [1:233]
>   :POSTROUTING ACCEPT [0:0] 
>   :OUTPUT ACCEPT [0:0]  
>   -A POSTROUTING -s 192.168.1.0/24 -o
> eth0 -

Re: set up NAT (network address translation) on local server

2008-11-20 Thread Christopher K. Johnson


Does /etc/sysconfig/iptables actually contain the lines

*nat 
:PREROUTING ACCEPT [1:233]   
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] 
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210 
COMMIT 

It seems unlikely that it was written correctly since the restart did 
not implement your SNAT rule, and this file is what a restart reads. 
Perhaps there is  a bug in iptables-save?  I edit 
/etc/sysconfig/iptables directly, and recommend that if you are not 
using some firewall front-end or tool to do this, that you do the same.


There is another problem in the rules you listed.  It would not prevent 
the SNAT rule from being implemented, so this is an unrelated problem.  
But it would prevent the forwarding you wanted:


-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth1 -o eth0 -j ACCEPT   
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT


Note that the REJECT is above your ACCEPT rules.  You need to move it 
below them because the REJECT is very general and will catch everything, 
preventing the ACCEPT rules from being applied.


-A FORWARD -i eth1 -o eth0 -j ACCEPT   
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

I presume from the addresses that this is natting one private network 
onto another private network.  So this last note is not critical as it 
would be if connecting onto the Internet.  Once you get this working as 
you intended, I recommend you alter or remove these rules too, depending 
on whether you wish people on the 10 network to have access to services 
on your server:


# Permit IPSEC peer communications.  Unless you are configuring IPSEC tunnels, 
you should comment these out.
#-A RH-Firewall-1-INPUT -p esp -j ACCEPT
#-A RH-Firewall-1-INPUT -p ah -j ACCEPT

# Permit hosts to announce themselves to the avahi-daemon's multicast dns 
service
-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT

# Permit connections to the CUPS service (successful connections may be 
governed by the CUPS config)
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

# Permit access to the ssh server.  There is nothing wrong with that as long as 
you harden /etc/ssh/sshd_config
# to be more restrictive. By default it allows password authentication of all 
users including root, and
# other service accounts.
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT



Antonio Olivares wrote:
*nat 
:PREROUTING ACCEPT [1:233]   
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] 
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210 
COMMIT 
# Completed on Thu Nov 20 06:52:04 2008
# Generated by iptables-save v1.4.1.1 on Thu Nov 20 06:52:04 2008  
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]  
:OUTPUT ACCEPT [8:452] 
:RH-Firewall-1-INPUT - [0:0]   
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth1 -o eth0 -j ACCEPT   
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Nov 20 06:52:04 2008
  



--
  "A society grows great when old men plant trees whose shade they know
  they shall never sit in" - Greek Proverb

--
fedora-list mailing list
fedora-list@r

Re: set up NAT (network address translation) on local server

2008-11-20 Thread Antonio Olivares

--- On Wed, 11/19/08, Christopher K. Johnson <[EMAIL PROTECTED]> wrote:

> From: Christopher K. Johnson <[EMAIL PROTECTED]>
> Subject: Re: set up NAT (network address translation) on local server
> To: "Community assistance, encouragement, and advice for using Fedora." 
> 
> Date: Wednesday, November 19, 2008, 4:00 PM
> No snat rule in effect!
> 
> Was the rule you provided in your original post verbatim? 
> Because it had 'a' instead of the public address. 
> In fact the rule seemed overly specific in other ways too.
> Here is what I have for a snat rule where the public
> (Internet) interface is eth1 (substitute your public ip
> address for a.b.c.d:
> 
> -A POSTROUTING -o eth1 -j SNAT --to-source a.b.c.d
> 
> Resulting in (again substituted a.b.c.d for the real public
> address):
> Chain POSTROUTING (policy ACCEPT 36819 packets, 4482K
> bytes)
> pkts bytes target prot opt in out source   
>destination39065 2513K SNAT   all  --  * 
> eth10.0.0.0/00.0.0.0/0  
> to:a.b.c.d
> 
> If your rule is correct, then you need to activate your
> iptables file rules by:
> service iptables restart
> 
> Chris
> >  pkts bytes target prot opt in out source 
>  destination
> > 
> > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target prot opt in out source 
>  destination
> >   
> 
> 
> --   "A society grows great when old men plant trees
> whose shade they know
>   they shall never sit in" - Greek Proverb
> 
> -- fedora-list mailing list

I have done the following: 

[EMAIL PROTECTED] ~]$ su -
Password:   
[EMAIL PROTECTED] ~]# lsmod | grep ipta*
[EMAIL PROTECTED] ~]# modprobe iptable_nat
[EMAIL PROTECTED] ~]# iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
[EMAIL PROTECTED] ~]# service dhcpd stop
Shutting down dhcpd:   [  OK  ]
[EMAIL PROTECTED] ~]# service dhcpd start
Starting dhcpd:[  OK  ]
[EMAIL PROTECTED] ~]# service dhcpd stop
Shutting down dhcpd:   [  OK  ]
[EMAIL PROTECTED] ~]# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT  
[EMAIL PROTECTED] ~]# iptables -A FORWARD -i eth0 -o eth1 -m state --state 
ESTABLISHED,RELATED -j ACCEPT   
   
[EMAIL PROTECTED] ~]# iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth0 
-j SNAT --to-source 10.154.19.210
[EMAIL PROTECTED] ~]# service dhcpd start
Starting dhcpd:[  OK  ]
[EMAIL PROTECTED] ~]# iptables -vnL -t nat   
Chain PREROUTING (policy ACCEPT 186 packets, 24044 bytes)  
 pkts bytes target prot opt in out source   destination 


Chain POSTROUTING (policy ACCEPT 3 packets, 144 bytes)
 pkts bytes target prot opt in out source   destination 

  108  6705 MASQUERADE  all  --  *  eth00.0.0.0/00.0.0.0/0  

0 0 SNAT   all  --  *  eth0192.168.1.0/24   0.0.0.0/0   
to:10.154.19.210

Chain OUTPUT (policy ACCEPT 111 packets, 6849 bytes)
 pkts bytes target prot opt in out source   destination 

[EMAIL PROTECTED] ~]# service iptables restart
iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: nat filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
iptables: Applying firewall rules: [  OK  ]
iptables: Loading additional modules: ip_conntrack_netbios_[  OK  ]
[EMAIL PROTECTED] ~]# iptables -vnL -t nat   
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination 


Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination 


Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination

Re: set up NAT (network address translation) on local server

2008-11-19 Thread Christopher K. Johnson


No snat rule in effect!

Was the rule you provided in your original post verbatim?  Because it 
had 'a' instead of the public address.  In fact the rule seemed overly 
specific in other ways too.
Here is what I have for a snat rule where the public (Internet) 
interface is eth1 (substitute your public ip address for a.b.c.d:


-A POSTROUTING -o eth1 -j SNAT --to-source a.b.c.d

Resulting in (again substituted a.b.c.d for the real public address):
Chain POSTROUTING (policy ACCEPT 36819 packets, 4482K bytes)
pkts bytes target prot opt in out source   
destination
39065 2513K SNAT   all  --  *  eth10.0.0.0/0
0.0.0.0/0   to:a.b.c.d


If your rule is correct, then you need to activate your iptables file 
rules by:

service iptables restart

Chris

 pkts bytes target prot opt in out source   destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination
  



--
  "A society grows great when old men plant trees whose shade they know
  they shall never sit in" - Greek Proverb

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: set up NAT (network address translation) on local server

2008-11-19 Thread Craig White

On Wed, 2008-11-19 at 15:28 -0800, Antonio Olivares wrote:
> 
> 
> --- On Wed, 11/19/08, Christopher K. Johnson <[EMAIL PROTECTED]> wrote:
> 
> > From: Christopher K. Johnson <[EMAIL PROTECTED]>
> > Subject: Re: set up NAT (network address translation) on local server
> > To: "Community assistance, encouragement, and advice for using Fedora." 
> > 
> > Date: Wednesday, November 19, 2008, 2:57 PM
> > What does this command produce? (shows whether your snat
> > rule is implemented correctly)
> > iptables -vnL -t nat
> > 
> > And this one? (tells if ip forwarding is on)
> > cat /proc/sys/net/ipv4/ip_forward
> > 
> > Chris
> > 
> > --   "A society grows great when old men plant trees
> > whose shade they know
> >   they shall never sit in" - Greek Proverb
> > 
> > -- fedora-list mailing list
> 
> 
> [EMAIL PROTECTED] ~]$ su -
> Password:
> [EMAIL PROTECTED] ~]# iptables -vnL -t nat
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target prot opt in out source   
> destination
> 
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target prot opt in out source   
> destination
> 
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target prot opt in out source   
> destination
> [EMAIL PROTECTED] ~]# cat /proc/sys/net/ipv4/ip_forward
> 1

This is your Linux router?  No way...

Craig

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: set up NAT (network address translation) on local server

2008-11-19 Thread Les Mikesell

Antonio Olivares wrote:

--- On Wed, 11/19/08, Christopher K. Johnson <[EMAIL PROTECTED]> wrote:

From: Christopher K. Johnson <[EMAIL PROTECTED]>
Subject: Re: set up NAT (network address translation) on local server
To: "Community assistance, encouragement, and advice for using Fedora." 

Date: Wednesday, November 19, 2008, 2:57 PM
What does this command produce? (shows whether your snat
rule is implemented correctly)
iptables -vnL -t nat

And this one? (tells if ip forwarding is on)
cat /proc/sys/net/ipv4/ip_forward

Chris

--   "A society grows great when old men plant trees
whose shade they know
  they shall never sit in" - Greek Proverb

-- fedora-list mailing list

[EMAIL PROTECTED] ~]$ su -
Password:
[EMAIL PROTECTED] ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination
[EMAIL PROTECTED] ~]# cat /proc/sys/net/ipv4/ip_forward
1
[EMAIL PROTECTED] ~]#

Try
modprobe iptable_nat
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

and make sure the host itself can ping the targets you are trying.

--
   Les Mikesell
   [EMAIL PROTECTED]

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: set up NAT (network address translation) on local server

2008-11-19 Thread Antonio Olivares




--- On Wed, 11/19/08, Christopher K. Johnson <[EMAIL PROTECTED]> wrote:

> From: Christopher K. Johnson <[EMAIL PROTECTED]>
> Subject: Re: set up NAT (network address translation) on local server
> To: "Community assistance, encouragement, and advice for using Fedora." 
> 
> Date: Wednesday, November 19, 2008, 2:57 PM
> What does this command produce? (shows whether your snat
> rule is implemented correctly)
> iptables -vnL -t nat
> 
> And this one? (tells if ip forwarding is on)
> cat /proc/sys/net/ipv4/ip_forward
> 
> Chris
> 
> --   "A society grows great when old men plant trees
> whose shade they know
>   they shall never sit in" - Greek Proverb
> 
> -- fedora-list mailing list


[EMAIL PROTECTED] ~]$ su -
Password:
[EMAIL PROTECTED] ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination
[EMAIL PROTECTED] ~]# cat /proc/sys/net/ipv4/ip_forward
1
[EMAIL PROTECTED] ~]#


Regards,

Antonio 


  

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: set up NAT (network address translation) on local server

2008-11-19 Thread Craig White

On Wed, 2008-11-19 at 15:13 -0800, Antonio Olivares wrote:
> --- On Wed, 11/19/08, Craig White <[EMAIL PROTECTED]> wrote:

> 
> C:\Documents and Settings\6355-win2000>ping 209.131.36.158
> 
> Pinging 209.131.36.158 with 32 bytes of data:
> 
> Reply from 192.168.0.1: Destination host unreachable.
> Reply from 192.168.0.1: Destination host unreachable.
> Reply from 192.168.0.1: Destination host unreachable.
> Reply from 192.168.0.1: Destination host unreachable.
> 
> Ping statistics for 209.131.36.158:
> Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
> Approximate round trip times in milli-seconds:
> Minimum = 0ms, Maximum =  0ms, Average =  0ms
> 
> C:\Documents and Settings\6355-win2000>ping www.yahoo.com
> Unknown host www.yahoo.com.
> 
> C:\Documents and Settings\6355-win2000>
> 
> 
> 
> The problem is still at routing then :(
> 
> Thanks for helping.  Which rules should I try out?

normally, to detect a routing problem, you would run traceroute command
(on windows it's tracert) but of course it will only go so far before it
starts showing breaks which would seem to be your Linux firewall/router.

So it would be most useful to give us the output of the commands as
asked for by Chris Johnson.

Craig



-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: set up NAT (network address translation) on local server

2008-11-19 Thread Antonio Olivares

--- On Wed, 11/19/08, Craig White <[EMAIL PROTECTED]> wrote:

> From: Craig White <[EMAIL PROTECTED]>
> Subject: Re: set up NAT (network address translation) on local server
> To: [EMAIL PROTECTED], "Community assistance, encouragement, and advice for 
> using Fedora." 
> Date: Wednesday, November 19, 2008, 2:20 PM
> On Wed, 2008-11-19 at 13:09 -0800, Antonio Olivares wrote:
> > --- On Wed, 11/19/08, Antonio Olivares
> <[EMAIL PROTECTED]> wrote:
> > 
> > > From: Antonio Olivares
> <[EMAIL PROTECTED]>
> > > Subject: set up NAT (network address translation)
> on local server
> > > To: fedora-list@redhat.com
> > > Date: Wednesday, November 19, 2008, 12:59 PM
> > > Dear all,
> > > 
> > > Starting new thread to clear up the other one:
> > > Re: Make a DHCP server using Fedora - Help
> > > 
> > > After going through the steps outlined and the
> guidance
> > > provided by great individuals that participate in
> this list
> > > :)
> > > 
> > > /* Done now added eth1 to DHCPARGS */ 
> > > [EMAIL PROTECTED] ~]$ cat /etc/sysconfig/dhcpd
> > > DHCPDARGS=eth1
> > > 
> > > 
> > > I need a little bit of help in setting up NAT.  I
> can use
> > > the system-config-firewall or I can try using
> webmin or from
> > > command line, I feel I can achieve the goal.
> > > 
> > > How should I begin?
> > > 
> > > I had done this before, but because of other
> problems
> > > between the devices and my errors, it did not
> work :(
> > > 
> > > # Forward all packets from eth1 (internal
> network) to eth0
> > > (the public internet)
> > > iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> > > # Forward packets that are part of existing and
> related
> > > connections from eth0 to eth1
> > > iptables -A FORWARD -i eth0 -o eth1 -m state
> --state
> > > ESTABLISHED,RELATED -j ACCEPT
> > > # Enable SNAT functionality on eth0. a.b.c.d are
> generally
> > > the ip of the eth0
> > > iptables -A POSTROUTING -t nat -s 192.168.1.0/24
> -o eth0 -j
> > > SNAT --to-source a
> > > 
> > > Thank you for helping,
> > > 
> > > Regards,
> > > 
> > > Antonio 
> > > 
> > > 
> > >   
> > > 
> > > -- 
> > Sorry to reply to my own thread, but some might ask if
> I did the following and here's what I have done.  
> > 
> > Did this part : 
> > 
> > [EMAIL PROTECTED] ~]$ su -
> > Password:   
> > [EMAIL PROTECTED] ~]# service dhcpd restart   
> > Starting dhcpd:   
> [  OK  ]
> > [EMAIL PROTECTED] ~]# tail -f /var/log/messages 
> 
> > Nov 19 15:00:02 localhost dhcpd: Copyright 2004-2007
> Internet Systems Consortium.
>   
> > Nov 19 15:00:02 localhost dhcpd: All rights reserved. 
>  
> > Nov 19 15:00:02 localhost dhcpd: For info, please
> visit http://www.isc.org/sw/dhcp/   
>  
> > Nov 19 15:00:02 localhost dhcpd: Not searching LDAP
> since ldap-server, ldap-port and ldap-base-dn were not
> specified in the config file 
> > Nov 19 15:00:02 localhost dhcpd: Wrote 2 leases to
> leases file. 
> > Nov 19 15:00:02 localhost dhcpd: Listening on
> LPF/eth1/00:60:97:c5:2a:c3/192.168.0.0/24   
>  
> > Nov 19 15:00:02 localhost dhcpd: Sending on  
> LPF/eth1/00:60:97:c5:2a:c3/192.168.0.0/24   
>  
> > Nov 19 15:00:02 localhost dhcpd: Sending on  
> Socket/fallback/fallback-net  
> > Nov 19 15:00:06 localhost dhcpd: DHCPREQUEST for
> 192.168.0.3 from 00:11:2f:35:88:2e via eth1 
>   
> > Nov 19 15:00:06 localhost dhcpd: DHCPACK on
> 192.168.0.3 to 00:11:2f:35:88:2e via eth1   
>
> > Nov 19 15:00:22 localhost dhcpd: DHCPDISCOVER from
> 00:d0:b7:c1:09:58 via eth1   
> > Nov 19 15:00:23 localhost dhcpd: DHCPOFFER on
> 192.168.0.2 to 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1 
>  
> >

Re: set up NAT (network address translation) on local server

2008-11-19 Thread Christopher K. Johnson

What does this command produce? (shows whether your snat rule is 
implemented correctly)

iptables -vnL -t nat

And this one? (tells if ip forwarding is on)
cat /proc/sys/net/ipv4/ip_forward

Chris

--
  "A society grows great when old men plant trees whose shade they know
  they shall never sit in" - Greek Proverb

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: set up NAT (network address translation) on local server

2008-11-19 Thread Craig White

On Wed, 2008-11-19 at 13:09 -0800, Antonio Olivares wrote:
> --- On Wed, 11/19/08, Antonio Olivares <[EMAIL PROTECTED]> wrote:
> 
> > From: Antonio Olivares <[EMAIL PROTECTED]>
> > Subject: set up NAT (network address translation) on local server
> > To: fedora-list@redhat.com
> > Date: Wednesday, November 19, 2008, 12:59 PM
> > Dear all,
> > 
> > Starting new thread to clear up the other one:
> > Re: Make a DHCP server using Fedora - Help
> > 
> > After going through the steps outlined and the guidance
> > provided by great individuals that participate in this list
> > :)
> > 
> > /* Done now added eth1 to DHCPARGS */ 
> > [EMAIL PROTECTED] ~]$ cat /etc/sysconfig/dhcpd
> > DHCPDARGS=eth1
> > 
> > 
> > I need a little bit of help in setting up NAT.  I can use
> > the system-config-firewall or I can try using webmin or from
> > command line, I feel I can achieve the goal.
> > 
> > How should I begin?
> > 
> > I had done this before, but because of other problems
> > between the devices and my errors, it did not work :(
> > 
> > # Forward all packets from eth1 (internal network) to eth0
> > (the public internet)
> > iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> > # Forward packets that are part of existing and related
> > connections from eth0 to eth1
> > iptables -A FORWARD -i eth0 -o eth1 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> > # Enable SNAT functionality on eth0. a.b.c.d are generally
> > the ip of the eth0
> > iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth0 -j
> > SNAT --to-source a
> > 
> > Thank you for helping,
> > 
> > Regards,
> > 
> > Antonio 
> > 
> > 
> >   
> > 
> > -- 
> Sorry to reply to my own thread, but some might ask if I did the following 
> and here's what I have done.  
> 
> Did this part : 
> 
> [EMAIL PROTECTED] ~]$ su -
> Password:   
> [EMAIL PROTECTED] ~]# service dhcpd restart   
> Starting dhcpd:[  OK  ]
> [EMAIL PROTECTED] ~]# tail -f /var/log/messages  
> Nov 19 15:00:02 localhost dhcpd: Copyright 2004-2007 Internet Systems 
> Consortium.   
> 
> Nov 19 15:00:02 localhost dhcpd: All rights reserved. 
>   
> Nov 19 15:00:02 localhost dhcpd: For info, please visit 
> http://www.isc.org/sw/dhcp/   
>   
> Nov 19 15:00:02 localhost dhcpd: Not searching LDAP since ldap-server, 
> ldap-port and ldap-base-dn were not specified in the config file  
>
> Nov 19 15:00:02 localhost dhcpd: Wrote 2 leases to leases file.   
>   
> Nov 19 15:00:02 localhost dhcpd: Listening on 
> LPF/eth1/00:60:97:c5:2a:c3/192.168.0.0/24 
> 
> Nov 19 15:00:02 localhost dhcpd: Sending on   
> LPF/eth1/00:60:97:c5:2a:c3/192.168.0.0/24 
> 
> Nov 19 15:00:02 localhost dhcpd: Sending on   Socket/fallback/fallback-net
>   
> Nov 19 15:00:06 localhost dhcpd: DHCPREQUEST for 192.168.0.3 from 
> 00:11:2f:35:88:2e via eth1
> 
> Nov 19 15:00:06 localhost dhcpd: DHCPACK on 192.168.0.3 to 00:11:2f:35:88:2e 
> via eth1  
>  
> Nov 19 15:00:22 localhost dhcpd: DHCPDISCOVER from 00:d0:b7:c1:09:58 via eth1 
>   
> Nov 19 15:00:23 localhost dhcpd: DHCPOFFER on 192.168.0.2 to 
> 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1  
>  
> Nov 19 15:00:23 localhost dhcpd: DHCPREQUEST for 192.168.0.2 (192.168.0.1) 
> from 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1 
>
> Nov 19 15:00:23 localhost dhcpd: DHCPACK on 192.168.0.2 to 00:d0:b7:c1:09:58 
> (6355-hthhzebqqx) via eth1
>  
> Nov 19 15:00:33 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1 
>   
> Nov 19 15:00:33 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) 
> via eth1  
>   
> Nov 19 15:00:37 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1 
>   
> Nov 19 15:00:37 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) 
> via eth1
> 
> >From one of the machines I get :
> 
> [EMAIL PROTECTED] ~]$ cat /media/STAPLES\ UFD/computer1.txt 
> 
> Windows 2000 IP Configuration
> 
> Host Name . . . . . . . . . . . . : 6355-hthhzebqqx
> Primary DNS Suffix  . . . . . . . :
> Node Type . . . . . . . . . . . . : Hybrid 
> IP Routing Enabled. . . . . . . . : No 
> WINS Proxy Enabled. . . . . . . . : No

Re: set up NAT (network address translation) on local server

2008-11-19 Thread Antonio Olivares

--- On Wed, 11/19/08, Antonio Olivares <[EMAIL PROTECTED]> wrote:

> From: Antonio Olivares <[EMAIL PROTECTED]>
> Subject: set up NAT (network address translation) on local server
> To: fedora-list@redhat.com
> Date: Wednesday, November 19, 2008, 12:59 PM
> Dear all,
> 
> Starting new thread to clear up the other one:
> Re: Make a DHCP server using Fedora - Help
> 
> After going through the steps outlined and the guidance
> provided by great individuals that participate in this list
> :)
> 
> /* Done now added eth1 to DHCPARGS */ 
> [EMAIL PROTECTED] ~]$ cat /etc/sysconfig/dhcpd
> DHCPDARGS=eth1
> 
> 
> I need a little bit of help in setting up NAT.  I can use
> the system-config-firewall or I can try using webmin or from
> command line, I feel I can achieve the goal.
> 
> How should I begin?
> 
> I had done this before, but because of other problems
> between the devices and my errors, it did not work :(
> 
> # Forward all packets from eth1 (internal network) to eth0
> (the public internet)
> iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> # Forward packets that are part of existing and related
> connections from eth0 to eth1
> iptables -A FORWARD -i eth0 -o eth1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> # Enable SNAT functionality on eth0. a.b.c.d are generally
> the ip of the eth0
> iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth0 -j
> SNAT --to-source a
> 
> Thank you for helping,
> 
> Regards,
> 
> Antonio 
> 
> 
>   
> 
> -- 
Sorry to reply to my own thread, but some might ask if I did the following and 
here's what I have done.  

Did this part : 

[EMAIL PROTECTED] ~]$ su -
Password:   
[EMAIL PROTECTED] ~]# service dhcpd restart   
Starting dhcpd:[  OK  ]
[EMAIL PROTECTED] ~]# tail -f /var/log/messages  
Nov 19 15:00:02 localhost dhcpd: Copyright 2004-2007 Internet Systems 
Consortium. 
  
Nov 19 15:00:02 localhost dhcpd: All rights reserved.   
Nov 19 15:00:02 localhost dhcpd: For info, please visit 
http://www.isc.org/sw/dhcp/ 

Nov 19 15:00:02 localhost dhcpd: Not searching LDAP since ldap-server, 
ldap-port and ldap-base-dn were not specified in the config file
 
Nov 19 15:00:02 localhost dhcpd: Wrote 2 leases to leases file. 
Nov 19 15:00:02 localhost dhcpd: Listening on 
LPF/eth1/00:60:97:c5:2a:c3/192.168.0.0/24   
  
Nov 19 15:00:02 localhost dhcpd: Sending on   
LPF/eth1/00:60:97:c5:2a:c3/192.168.0.0/24   
  
Nov 19 15:00:02 localhost dhcpd: Sending on   Socket/fallback/fallback-net  
Nov 19 15:00:06 localhost dhcpd: DHCPREQUEST for 192.168.0.3 from 
00:11:2f:35:88:2e via eth1  
  
Nov 19 15:00:06 localhost dhcpd: DHCPACK on 192.168.0.3 to 00:11:2f:35:88:2e 
via eth1
   
Nov 19 15:00:22 localhost dhcpd: DHCPDISCOVER from 00:d0:b7:c1:09:58 via eth1   
Nov 19 15:00:23 localhost dhcpd: DHCPOFFER on 192.168.0.2 to 00:d0:b7:c1:09:58 
(6355-hthhzebqqx) via eth1  
 
Nov 19 15:00:23 localhost dhcpd: DHCPREQUEST for 192.168.0.2 (192.168.0.1) from 
00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
Nov 19 15:00:23 localhost dhcpd: DHCPACK on 192.168.0.2 to 00:d0:b7:c1:09:58 
(6355-hthhzebqqx) via eth1  
   
Nov 19 15:00:33 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1   
Nov 19 15:00:33 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via 
eth1
Nov 19 15:00:37 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1   
Nov 19 15:00:37 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via 
eth1

>From one of the machines I get :

[EMAIL PROTECTED] ~]$ cat /media/STAPLES\ UFD/computer1.txt 

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : 6355-hthhzebqqx
Primary DNS Suffix  . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid 
IP Routing Enabled. . . . . . . . : No 
WINS Proxy Enabled. . . . . . . . : No 

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Intel(R) 82559 Fast Ethernet LAN 
onMotherboard
Physical Address. . . . . . . . . : 00-D0-B7-C1-09-58
DHCP Enabled. . . . . . . . . . . : Yes
Autocon

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

Re: set up NAT (network address translation) on local server

24 matches

Site Navigation

Mail list logo

Footer information