I have a CentOS 5 set up as a NAT router between network A and Network B in a test environment, like so:
eth0 (NETWORK B) <==> CENTOS <==> eth1 (NETWORK A)
I have set up ipv4 forwarding and have added(what I think) are the correct entries in iptables. NETWORK A is our "Internet" in this test environment. CENTOS is set to provide DHCP service only on eth0 for NETWORK B computers as well as NAT functionality. But I have two problems (one on the first day, another on the second day...got no where on the third...):
Day 1) When I permit forwarding from eth0 to eth1 and postrouting masquerade, I cannot connect from any computer in NETWORK B to services (web, ssh, ftp, etc) on NETWORK A. The computers on NETWORK B are assigned the correct IP, subnet, gateway, and dns. So I pinged a few public IPs including: google.com and opendns.com and get replies. This seemed sugesstive of a DNS problem, so I manually set my DNS on one of my computers on NETWORK B to use opendns and still no name resolution. The next thing I did from NETWORK B was a traceroute for the public IP of google.com. Nothing! It goes to the gateway (the CentOS 5.8) and stops there with a !Z. I next did a tcpdum on the CentOS 5.8 gateway and found what looks like icmp requests to nameservers (charter, opendns, verizon, etc) resulting with an "unreachable - admin prohibited". I then disabled iptables completely, and bingo! I can connect to services in NETWORK A from computers in NETWORK B...(but leaving iptables off is maybe one of the last things I want to do). However, even with iptables off, I still noticed in the tcpdum a significant number of "unreachable - admin prohibited", which I can definitely experience when browsing the web - it's VERY SLOW and often times results with a timeout exception. What could be causing this? Is this normal activity? I'm starting to wonder if my box is incapable of keeping up with the workload - doubtful but here are the specs: it's has a Intel Pentium 2.7Ghz(Intel Pentium G630 Sandy Bridge 2.7GHz LGA 1155 65W Dual-Core Desktop Processor Intel HD Graphics BX80623G630 - http://www.newegg.com/Product/Produc...82E16819116406
) and 4GB of RAM. Both NICs are 1Gbps.
Day 2) I thought maybe if I use the system-config-network-tui to configure the firewall, test the system to make sure it works and look at the generated config files I can better understand what I need to do to make my CentOS NAT work. So I went ahead with the guided system-config-network-tui and set both eth0 and eth1 as trusted and masqueraded. Saved the config and restarted iptables. This seemed to work! I was able to access services on NETWORK A from NETWORK B. But there are two problems with this: 1) The generated config file means gibberish to me (I most likely need to go back to my iptables book to remind my self what some of the options mean), and 2) the "unreachable - admin prohibited" problem in my tcpdump is not resolved. And once again I can expereince it when browsing the web - it's VERY SLOW and often times results with a timeout exception.
Day 3) head...banging...against...wall...
I apologize in advance for the long post and not providing any logs or config files. I'm posting this from work where I do not have remote access to my box at home. This has been on my mind for three days now and I can't seem to find anything from my searches. Any help is much appreciated!