Hi,
Just for the head's up, iptables rules created by system-config are
fine, I was just hitting a default route problem due to the fact
another fw is already in prod with another ip address.
The one I'm configuring is aimed to replace the one already running.
Now, I'm just fighting with rules for
@John, yea good catch thanks =)
On Tue, Dec 13, 2011 at 11:59 AM, John Hodrien wrote:
> On Tue, 13 Dec 2011, cliff here wrote:
>
> > Also to note, if you edit your /etc/sysconfig/iptables file manually
> there
> > is a line in /etc/init.d./iptables at line number 300 that will save on
> > service
On Tue, 13 Dec 2011, cliff here wrote:
> Also to note, if you edit your /etc/sysconfig/iptables file manually there
> is a line in /etc/init.d./iptables at line number 300 that will save on
> service iptables restart; meaning if you run that command the buffer will
> save over the file and basical
Here's a really good overview of how the iptables process works
http://fedoraunity.org/Members/kanarip/iptables-howto
On Tue, Dec 13, 2011 at 10:53 AM, wrote:
> Laurent Wandrebeck wrote:
> > On Tue, 13 Dec 2011 10:23:45 -0500
> > cliff here wrote:
> >
> >> My best guess would be to move your
Also to note, if you edit your /etc/sysconfig/iptables file manually there
is a line in /etc/init.d./iptables at line number 300 that will save on
service iptables restart; meaning if you run that command the buffer will
save over the file and basically revert any changes you just made to the
file.
Laurent Wandrebeck wrote:
> On Tue, 13 Dec 2011 10:23:45 -0500
> cliff here wrote:
>
>> My best guess would be to move your forwarding rules to the INPUT chain
>> instead of being in the PREROUTING.
> Will try that once I figure out iptables syntax.
> Is it me or I hit a system-config-firewall bug
On Tue, 13 Dec 2011 10:23:45 -0500
cliff here wrote:
> My best guess would be to move your forwarding rules to the INPUT chain
> instead of being in the PREROUTING.
Will try that once I figure out iptables syntax.
Is it me or I hit a system-config-firewall bug in rules generation ?
Laurent.
_
My best guess would be to move your forwarding rules to the INPUT chain
instead of being in the PREROUTING.
On Tue, Dec 13, 2011 at 10:16 AM, Laurent Wandrebeck wrote:
> On Tue, 13 Dec 2011 10:07:41 -0500
> cliff here wrote:
>
> > sorry that's watch -n 1 'iptables -t nat -L -n -v'
>
> > > But
On Tue, 13 Dec 2011 10:07:41 -0500
cliff here wrote:
> sorry that's watch -n 1 'iptables -t nat -L -n -v'
> > But if not mistake about what your intent is your forwarding rules that
> > you have in prerouting should be in INPUT chain.
> > You're trying to come in from an outside net to your FW
sorry that's watch -n 1 'iptables -t nat -L -n -v'
On Tue, Dec 13, 2011 at 10:04 AM, cliff here wrote:
> actually if you could cat /etc/sysconfig/iptables, i find it easier to
> read. also try this to troubleshoot
>
> watch n 1 'iptables -t nat -L -n -v'
>
> it will show you the when a packet
actually if you could cat /etc/sysconfig/iptables, i find it easier to
read. also try this to troubleshoot
watch n 1 'iptables -t nat -L -n -v'
it will show you the when a packet hits a rule I find it very helpful when
troubleshooting.
But if not mistake about what your intent is your forwarding
On Tue, 13 Dec 2011 09:44:11 -0500
cliff here wrote:
> Can you fpaste your firewall rules? I would omit the actual public IP's for
> security sake.
http://fpaste.org/wE0L/
If you need anything else, ask :)
Thanks,
Laurent.
pgpIxvcjsW6sV.pgp
Description: PGP signature
___
Can you fpaste your firewall rules? I would omit the actual public IP's for
security sake.
On Tue, Dec 13, 2011 at 8:53 AM, Laurent Wandrebeck
wrote:
> Hi,
>
> I'm using system-config-firewall (C6 x86_64, fully up to date) to
> configure a gateway/firewall box. 2 nics, eth0 (configured as bridge0
Hi,
I'm using system-config-firewall (C6 x86_64, fully up to date) to
configure a gateway/firewall box. 2 nics, eth0 (configured as bridge0,
mtu 7200) connected to the lan, eth1 being connected directly to the
internet (public ip, mtu 1500). ssh port is open and accessible. nat is
working fine. I'
14 matches
Mail list logo
