Redhat Router + Iptables
 

ISP ------* ISDN modem/Router * --- switch1 -- eth0 * DNS/ DHCP Server* eth1 --- switch2 ------ * Local Area Network / Wifi Broadcasting *

RHEL4 :
eth1 IP: 192.168.1.2 DNS (mycompany.com)
GW: 192.168.1.1


eth0 IP:192.168.0.10
GW:192.168.0.1

DNS & DHCP is working fine.

#/etc/named.conf
.
.
forwarder first;
forwarder { 103.130.0.1 } (Example ISP IP address)
.
.
.


(testing)
If I plug in cable to switch1 with windows XP Prof
Static IP : 192.168.1.10
GW : 192.168.1.1
ISP DNS : 103.130.0.1

work fine and can surf internet but for RHEL4 server I can't surf or ping internet. ??????

Here below are the RHEL4 setting

#/etc/sysconfig/network
networking=yes
Hostname='comp1.mycompany.com'
Domainname='mycompany.com'
GATEWAY=192.168.1.1
GATEWAYDEV=eth0

#/etc/sysctl.conf
net.ipv4.ip_forward = 1


the iptables setting:
#/etc/sysconfig/iptables
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.2

anyone can help me solve the problem.
Help will be appreciated.

Sam

What's in your /etc/resolv.conf?

# /etc/resolv.conf
search mycomp1.mycomputer.com
nameserver 192.168.1.2 (mycomp1 DNS ip address)
nameserver 103.130.0.1 ( my ISP ip address)

When I ping google.com, the ADSL2+/Router light is blinking and there were no results show up.

Things I see are do not define a gateway for nic eth1. ip forwarding and masquerading handles this for you. Next I would leave the the following like so.
#/etc/sysconfig/network
networking=yes
HOSTNAME=comp1.mycompany.com
DOMAINNAME=mycompany.com

Not sure about the DOMAINNAME there though.

I do not know if that is all that is all there is in /etc/sysconfig/iptables but I don't think you can write it like so unless it is a script now which does not appear to be. If there is other items there then leave them for now but post them if there is. If not then I would move the line to /etc/rc.local. When placing that command there use the full path to the iptables command of /sbin/iptables. Then disable the iptables service if no other lines are in that file. If there is other firewall lines then do not do the following. But to disable on next boot do the following command.
/sbin/chkconfig --level 345 iptables off

Also I assume there is no () in /etc/resolv.conf file

So why your at it post contents of the follow files in there full.
/etc/sysconfig/iptables
/etc/sysconfig/networking-script/ifcfg-eth0
/etc/sysconfig/networking-script/ifcfg-eth1
/etc/sysconfig/network
/etc/resolv.conf

Then output from the following commands.
/sbin/ifconfig -a
/sbin/route
/sbin/service --status-all

To me this looks like a lot of debian configuration which Redhat distro is not.

Brian

Sorry for late reply....

Here the iptables scripts

#Generated by iptables-save v1.2.11
*filter

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-F

#User defined chain for ACCEPTED TCP Packet
-N ok
-A ok -p TCP --syn -j ACCEPT
-A ok -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
-A ok -p TCP -j DROP

# INPUT chain rules
-A INPUT -P all -i lo -s 127.0.0.1 -j ACCEPT
-A INPUT -P all -i lo -s 192.168.1.2 -j ACCEPT
-A INPUT -P all -i lo -s 192.168.0.10 -j ACCEPT
-A INPUT -P all -i eth1 -d 192.168.1.2 -j ACCEPT
-A INPUT -P all -i eth1 -d $ISP_IP -j ACCEPT

# Rules for incoming packet from internet

# Packet for established connectins
-A INPUT -p ALL -d 192.168.1.2 -m state --state ESTABLISHED,RELATED -j ACCEPT

# TCP rules
-A INPUT -p TCP -i eth0 --destination-port 21 -j ok
-A INPUT -p TCP -i eth0 --destination-port 22 -j ok
-A INPUT -p TCP -i eth0 --destination-port 80 -j ok
-A INPUT -p TCP -i eth0 --destination-port 113 -j ok

# UDP rules
-A INPUT -p ICMP -i eth0 --icmp-type 8 -j ACCEPT
-A INPUT -p ICMP -i eth0 --icmp-type 11 -j ACCEPT

# FORWARD chain rules
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# OUTPUT chain rules
-A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
-A OUTPUT -p ALL -s 192.168.0.10 -j ACCEPT
-A OUTPUT -p ALL -s 192.168.1.2 -j ACCEPT
-A OUTPUT -p ALL -s $ISP_IP -j ACCEPT
COMMIT

*nat
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.2
COMMIT

---------------------------------------------------------------

Here below is the #/etc/sysconfig/network-scripts/ifcfg-eth1
IPV6INIT=no
ONBOOT=yes
USERCTL=no
PEERDBS=yes
GATEWAY=192.168.1.1
TYPE=Ethernet
DEVICE=dev32684
HWADDR=00:50:BA:8B:d5:56
BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=192.168.1.2

-------------------------------------------------------------
Here #/etc/sysconfig/network-scripts/ifcfg-eth0

IPV6INIT=no
ONBOOT=yes
USERCTL=no
PEERDBS=yes
TYPE=Ethernet
DEVICE=eth0
BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=192.168.0.10

---------------------------------------------------------------
Here below is the #/etc/sysconfig/network

NETWORKING=yes
HOSTNAME=mycomp1.mycompany.com
DOMAINNAME='mycompany.com'

----------------------------------------------------------------
Here below is the #/etc/resolv.conf

search mycomp1.mycompany.com
nameserver 192.168.1.2
nameserver $ISP_IP (all $ISP_IP is just example)
nameserver $ISP_IP

note (ISP_IP just an example or () )
-----------------------------------------------------------------
#/sbin/ifconfig -a
dev 32684 Link encap:Ethernet HWaddr 00:50:BA:...etc
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr:fe80::250:baff:fe8b..etc Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
etc..

eth1 Link encap:Ethernet HWaddr 00:2F...etc
BROADCAST MULTICASH MTU: ..ETC
RX
TX
Interrupt

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX
TX

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX
TX
-----------------------------------------------------------------
#/sbin/route
Kernel IP routing table
Destination GATEWAY Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 dev32684
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 dev32684
default 192.168.1.1 0.0.0.0 UG 0 0 0 dev32684

-------------------------------------------------------------------
#/sbin/service --status-all
too much output to write in this pages..hence I just briftly write the /sbin/iptables -L output

Chain INPUT (policy DROP)
target prot opt source Destinantion
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.0.10 anywhere
ACCEPT all -- mycomp1.mycompany.com anywhere
ACCEPT all -- anywhere mycomp1.mycompany.com
ACCEPT all -- anywhere $ISP_IP (130..etc)
ACCEPT all -- anywhere mycomp1.mycompany.com state RELATED,ESTABLISHED
ok tcp -- anywhere anywhere tcp dpt:ftp
ok tcp -- anywhere anywhere tcp dpt:ssh
ok tcp -- anywhere anywhere tcp dpt:http
ok tcp -- anywhere anywhere tcp dpt:auth
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded

Chain FORWARD (policy DROP)
target prot opt source Destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)
target prot opts source Destination
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.0.10 anywhere
ACCEPT all -- mycomp1.mycomputer.com anywhere
ACCEPT all -- anywhere ISP_IP (130.XX.XX.XX)

Chain ok (4 references)
target prot opt source Destination
ACCEPT tcp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
DROP all -- anywhere anywhere

---------------------------------------------------------------------

if you any further information let me know!
where should I change and compile hence can route from eth0 -> eth1(dev32684)...

What gateway is the Redhat server using? Run the command 'route' and print the output.

etc]#/sbin/route
Kernel IP routing table
Destination Gateway Genmask Flag Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.255.0 U 0 0 0 eth1
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1

This is a duplicate of http://www.linuxquestions.org/questi...tables-607528/
please close

This is a duplicate of:
http://www.linuxquestions.org/questi...at-box-608800/
&
http://www.linuxquestions.org/questi...tables-618076/
both of which ought to be closed. (& have been reported.)

It's nearly identical to:
http://www.linuxquestions.org/questi...tables-598536/
which is still open, &
http://www.linuxquestions.org/questi...tables-598537/
which has already been closed.

Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place.

No idea how to close it!
By the way..how can I solve the problem above?

Not sure why the OP waits days to respond back or just creates a new post. If needing help on this subject it needs to stay in one single post and at least check daily for help. So many things have been said and no idea where the OP is at this point.

Brian

The things again I still see is you are using eth0 as connected to the internet. This is the one you define with IP, netmask, and gateway. Then eth1 as the lan side or whatever you are doing will have and IP and netmask. No gateway.

next post again the following files just to see what you have in them and where.
/etc/sysconfig/iptables
/etc/resolv.conf
/etc/modprobe.conf
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/network-scripts/ifcfg-eth1
/etc/rc.local

Output of the following commands
route -n
/sbin/ifconfig -a

Brian

All I wanted to do is to let server & eth1 (home network) able to connect to internet. Further Server can solve eth1 request.

here the output

#/etc/sysconfig/iptables

# Generated by iptables-save v1.2.11 on Wed Dec 5 14:54:47 2007
*filter

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-F
##User defined chain for ACCEPTED TCP packet
-N mars
-A mars -p TCP --syn -j ACCEPT
-A mars -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
-A mars -p TCP -j DROP

## INPUT Chain rules
-A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
-A INPUT -p ALL -i lo -s 192.168.0.10 -j ACCEPT
-A INPUT -p ALL -i lo -s 192.168.1.5 -j ACCEPT
-A INPUT -p ALL -i eth0 -s 192.168.0.0/24 -j ACCEPT
-A INPUT -p ALL -i eth0 -d 192.168.1.5 -j ACCEPT
-A INPUT -p ALL -i eth0 -d 203.130.193.74 -j ACCEPT
-A INPUT -p ALL -i dev32684 -s 192.168.1.0/24 -j ACCEPT
-A INPUT -p TCP -i dev32684 -s 203.130.193.74 -j ACCEPT

## RULES FOR INCOMING PACKET FROM THE INTERNET

# PACKET FOR ESTABLISHED CONNECTIONS
-A INPUT -p ALL -d 192.168.1.2 -m state --state ESTABLISHED,RELATED -j ACCEPT

## TCP Rules
-A INPUT -p TCP -i eth0 --destination-port 21 -j mars
-A INPUT -p TCP -i eht0 --destination-port 22 -j mars
-A INPUT -p TCP -i eth0 --destination-port 80 -j mars
-A INPUT -p TCP -i eth0 --destination-port 113 -j mars

## UDP rules
-A INPUT -p ICMP -i eth0 --icmp-type 8 -j ACCEPT
-A INPUT -p ICMP -i eth0 --icmp-type 11 -j ACCEPT

## FORWARD CHAIN RULES
-A FORWARD -s 192.168.1.0/24 -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

## OUTPUT CHAIN RULES
# ONLY OUTPUT PACKET WITH LOCAL ADDRESSES (NO SPOOFING)
-A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
-A OUTPUT -p ALL -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -p ALL -s 192.168.1.5 -j ACCEPT
#-A OUTPUT -p ALL -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -p ALL -d 203.130.193.74 -j ACCEPT
COMMIT

*nat
## POSTROUTING chain rules
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.5:3128
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#-A POSTROUTING -o eth0 -s 192.168.0.10 -j SNAT --to-source 192.168.1.5
#-A POSTROUTING -j MASQUERADE -s 192.168.0.0/24 -o dev32684
COMMIT

#/etc/resolv.conf

; generated by /sbin/dhclient-script
search mars1.marsindo.com
nameserver 192.168.1.5

# /etc/modprobe.conf

alias eth0 sk98lin
alias scsi_hostadapter ata_piix
alias snd-card-0 snd-emu10k1
options snd-card-0 index=0
install snd-emu10k1 /sbin/modprobe --ignore-install snd-emu10k1 && /usr/sbin/alsactl restore >/dev/null 2>&1 || :
remove snd-emu10k1 { /usr/sbin/alsactl store >/dev/null 2>&1 || : ; }; /sbin/modprobe -r --ignore-remove snd-emu10k1
alias snd-card-1 snd-intel8x0
options snd-card-1 index=1
install snd-intel8x0 /sbin/modprobe --ignore-install snd-intel8x0 && /usr/sbin/alsactl restore >/dev/null 2>&1 || :
remove snd-intel8x0 { /usr/sbin/alsactl store >/dev/null 2>&1 || : ; }; /sbin/modprobe -r --ignore-remove snd-intel8x0
alias usb-controller ehci-hcd
alias usb-controller1 uhci-hcd
alias dev32684 8139too

#/etc/sysconfig/network-scripts/ifcfg-eth0

# Please read /usr/share/doc/initscripts-*/sysconfig.txt
# for the documentation of these parameters.
IPV6INIT=no
ONBOOT=yes
USERCTL=no
PEERDNS=yes
TYPE=Ethernet
DEVICE=eth0
BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=192.168.0.10
GATEWAY=192.168.0.1

#/etc/sysconfig/network-scripts/ifcfg-eth1

# Please read /usr/share/doc/initscripts-*/sysconfig.txt
# for the documentation of these parameters.
IPV6INIT=no
ONBOOT=yes
USERCTL=no
PEERDNS=yes
GATEWAY=192.168.1.1
TYPE=Ethernet
DEVICE=dev32684
HWADDR=00:50:ba:8b:d5:55
BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=192.168.1.5

#etc/rc.local

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

/sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.1.1
#/sbin/route default gw 192.168.1.1
#/sbin/ip route add 192.168.0.0/24 via 192.168.1.2 dev dev32684

#sbin/route -n

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 dev32684
192.168.0.0 192.168.1.1 255.255.255.0 UG 0 0 0 dev32684
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 dev32684
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 dev32684

#sbin/ifconfig -a

dev32684 Link encap:Ethernet HWaddr 00:50:BA:8B:D5:55
inet addr:192.168.1.5 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::250:baff:fe8b:d555/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:394 errors:0 dropped:0 overruns:0 frame:0
TX packets:255 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:90228 (88.1 KiB) TX bytes:23677 (23.1 KiB)
Interrupt:217 Base address:0xd400

eth0 Link encap:Ethernet HWaddr 00:11:2F:52:50:EB
inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::211:2fff:fe52:50eb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:624 (624.0 b)
Interrupt:209 Memory:feafc000-0

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1712 errors:0 dropped:0 overruns:0 frame:0
TX packets:1712 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1753775 (1.6 MiB) TX bytes:1753775 (1.6 MiB)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b

#/etc/named.conf
.
.
forward first;
forwarder {
isp ip address here
};

when I ping yahoo.com
the ADSL2+ router led is blinking and I guess it is sending something out but had never reached destination or vice versa
I had doing this for almost 6 months hence desperately seeking help from this forum. Hoping someone can help me here!

Unsubscribed.