Redhat Router + Iptables
ISP ------* ISDN modem/Router * --- switch1 -- eth0 * DNS/ DHCP Server* eth1 --- switch2 ------ * Local Area Network / Wifi Broadcasting *
RHEL4 : eth1 IP: 192.168.1.2 DNS (mycompany.com) GW: 192.168.1.1 eth0 IP:192.168.0.10 GW:192.168.0.1 DNS & DHCP is working fine. #/etc/named.conf . . forwarder first; forwarder { 103.130.0.1 } (Example ISP IP address) . . . (testing) If I plug in cable to switch1 with windows XP Prof Static IP : 192.168.1.10 GW : 192.168.1.1 ISP DNS : 103.130.0.1 work fine and can surf internet but for RHEL4 server I can't surf or ping internet. ?????? Here below are the RHEL4 setting #/etc/sysconfig/network networking=yes Hostname='comp1.mycompany.com' Domainname='mycompany.com' GATEWAY=192.168.1.1 GATEWAYDEV=eth0 #/etc/sysctl.conf net.ipv4.ip_forward = 1 the iptables setting: #/etc/sysconfig/iptables iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.2 anyone can help me solve the problem. Help will be appreciated. Sam |
What's in your /etc/resolv.conf?
|
Quote:
search mycomp1.mycomputer.com nameserver 192.168.1.2 (mycomp1 DNS ip address) nameserver 103.130.0.1 ( my ISP ip address) When I ping google.com, the ADSL2+/Router light is blinking and there were no results show up. |
Things I see are do not define a gateway for nic eth1. ip forwarding and masquerading handles this for you. Next I would leave the the following like so.
#/etc/sysconfig/network networking=yes HOSTNAME=comp1.mycompany.com DOMAINNAME=mycompany.com Not sure about the DOMAINNAME there though. I do not know if that is all that is all there is in /etc/sysconfig/iptables but I don't think you can write it like so unless it is a script now which does not appear to be. If there is other items there then leave them for now but post them if there is. If not then I would move the line to /etc/rc.local. When placing that command there use the full path to the iptables command of /sbin/iptables. Then disable the iptables service if no other lines are in that file. If there is other firewall lines then do not do the following. But to disable on next boot do the following command. /sbin/chkconfig --level 345 iptables off Also I assume there is no () in /etc/resolv.conf file So why your at it post contents of the follow files in there full. /etc/sysconfig/iptables /etc/sysconfig/networking-script/ifcfg-eth0 /etc/sysconfig/networking-script/ifcfg-eth1 /etc/sysconfig/network /etc/resolv.conf Then output from the following commands. /sbin/ifconfig -a /sbin/route /sbin/service --status-all To me this looks like a lot of debian configuration which Redhat distro is not. Brian |
Quote:
Here the iptables scripts #Generated by iptables-save v1.2.11 *filter -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -F #User defined chain for ACCEPTED TCP Packet -N ok -A ok -p TCP --syn -j ACCEPT -A ok -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT -A ok -p TCP -j DROP # INPUT chain rules -A INPUT -P all -i lo -s 127.0.0.1 -j ACCEPT -A INPUT -P all -i lo -s 192.168.1.2 -j ACCEPT -A INPUT -P all -i lo -s 192.168.0.10 -j ACCEPT -A INPUT -P all -i eth1 -d 192.168.1.2 -j ACCEPT -A INPUT -P all -i eth1 -d $ISP_IP -j ACCEPT # Rules for incoming packet from internet # Packet for established connectins -A INPUT -p ALL -d 192.168.1.2 -m state --state ESTABLISHED,RELATED -j ACCEPT # TCP rules -A INPUT -p TCP -i eth0 --destination-port 21 -j ok -A INPUT -p TCP -i eth0 --destination-port 22 -j ok -A INPUT -p TCP -i eth0 --destination-port 80 -j ok -A INPUT -p TCP -i eth0 --destination-port 113 -j ok # UDP rules -A INPUT -p ICMP -i eth0 --icmp-type 8 -j ACCEPT -A INPUT -p ICMP -i eth0 --icmp-type 11 -j ACCEPT # FORWARD chain rules -A FORWARD -i eth1 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # OUTPUT chain rules -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT -A OUTPUT -p ALL -s 192.168.0.10 -j ACCEPT -A OUTPUT -p ALL -s 192.168.1.2 -j ACCEPT -A OUTPUT -p ALL -s $ISP_IP -j ACCEPT COMMIT *nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.2 COMMIT --------------------------------------------------------------- Here below is the #/etc/sysconfig/network-scripts/ifcfg-eth1 IPV6INIT=no ONBOOT=yes USERCTL=no PEERDBS=yes GATEWAY=192.168.1.1 TYPE=Ethernet DEVICE=dev32684 HWADDR=00:50:BA:8B:d5:56 BOOTPROTO=none NETMASK=255.255.255.0 IPADDR=192.168.1.2 ------------------------------------------------------------- Here #/etc/sysconfig/network-scripts/ifcfg-eth0 IPV6INIT=no ONBOOT=yes USERCTL=no PEERDBS=yes TYPE=Ethernet DEVICE=eth0 BOOTPROTO=none NETMASK=255.255.255.0 IPADDR=192.168.0.10 --------------------------------------------------------------- Here below is the #/etc/sysconfig/network NETWORKING=yes HOSTNAME=mycomp1.mycompany.com DOMAINNAME='mycompany.com' ---------------------------------------------------------------- Here below is the #/etc/resolv.conf search mycomp1.mycompany.com nameserver 192.168.1.2 nameserver $ISP_IP (all $ISP_IP is just example) nameserver $ISP_IP note (ISP_IP just an example or () ) ----------------------------------------------------------------- #/sbin/ifconfig -a dev 32684 Link encap:Ethernet HWaddr 00:50:BA:...etc inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr:fe80::250:baff:fe8b..etc Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 etc.. eth1 Link encap:Ethernet HWaddr 00:2F...etc BROADCAST MULTICASH MTU: ..ETC RX TX Interrupt lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX TX sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX TX ----------------------------------------------------------------- #/sbin/route Kernel IP routing table Destination GATEWAY Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 dev32684 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 dev32684 default 192.168.1.1 0.0.0.0 UG 0 0 0 dev32684 ------------------------------------------------------------------- #/sbin/service --status-all too much output to write in this pages..hence I just briftly write the /sbin/iptables -L output Chain INPUT (policy DROP) target prot opt source Destinantion ACCEPT all -- localhost.localdomain anywhere ACCEPT all -- 192.168.0.10 anywhere ACCEPT all -- mycomp1.mycompany.com anywhere ACCEPT all -- anywhere mycomp1.mycompany.com ACCEPT all -- anywhere $ISP_IP (130..etc) ACCEPT all -- anywhere mycomp1.mycompany.com state RELATED,ESTABLISHED ok tcp -- anywhere anywhere tcp dpt:ftp ok tcp -- anywhere anywhere tcp dpt:ssh ok tcp -- anywhere anywhere tcp dpt:http ok tcp -- anywhere anywhere tcp dpt:auth ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp time-exceeded Chain FORWARD (policy DROP) target prot opt source Destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain OUTPUT (policy DROP) target prot opts source Destination ACCEPT all -- localhost.localdomain anywhere ACCEPT all -- 192.168.0.10 anywhere ACCEPT all -- mycomp1.mycomputer.com anywhere ACCEPT all -- anywhere ISP_IP (130.XX.XX.XX) Chain ok (4 references) target prot opt source Destination ACCEPT tcp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN DROP all -- anywhere anywhere --------------------------------------------------------------------- if you any further information let me know! where should I change and compile hence can route from eth0 -> eth1(dev32684)... |
What gateway is the Redhat server using? Run the command 'route' and print the output.
|
Quote:
Kernel IP routing table Destination Gateway Genmask Flag Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.255.0 U 0 0 0 eth1 default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1 |
This is a duplicate of http://www.linuxquestions.org/questi...tables-607528/
please close |
This is a duplicate of:
http://www.linuxquestions.org/questi...at-box-608800/ & http://www.linuxquestions.org/questi...tables-618076/ both of which ought to be closed. (& have been reported.) It's nearly identical to: http://www.linuxquestions.org/questi...tables-598536/ which is still open, & http://www.linuxquestions.org/questi...tables-598537/ which has already been closed. |
Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place.
|
Quote:
By the way..how can I solve the problem above? |
Not sure why the OP waits days to respond back or just creates a new post. If needing help on this subject it needs to stay in one single post and at least check daily for help. So many things have been said and no idea where the OP is at this point.
Brian |
The things again I still see is you are using eth0 as connected to the internet. This is the one you define with IP, netmask, and gateway. Then eth1 as the lan side or whatever you are doing will have and IP and netmask. No gateway.
next post again the following files just to see what you have in them and where. /etc/sysconfig/iptables /etc/resolv.conf /etc/modprobe.conf /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth1 /etc/rc.local Output of the following commands route -n /sbin/ifconfig -a Brian |
Quote:
here the output #/etc/sysconfig/iptables # Generated by iptables-save v1.2.11 on Wed Dec 5 14:54:47 2007 *filter -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -F ##User defined chain for ACCEPTED TCP packet -N mars -A mars -p TCP --syn -j ACCEPT -A mars -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT -A mars -p TCP -j DROP ## INPUT Chain rules -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT -A INPUT -p ALL -i lo -s 192.168.0.10 -j ACCEPT -A INPUT -p ALL -i lo -s 192.168.1.5 -j ACCEPT -A INPUT -p ALL -i eth0 -s 192.168.0.0/24 -j ACCEPT -A INPUT -p ALL -i eth0 -d 192.168.1.5 -j ACCEPT -A INPUT -p ALL -i eth0 -d 203.130.193.74 -j ACCEPT -A INPUT -p ALL -i dev32684 -s 192.168.1.0/24 -j ACCEPT -A INPUT -p TCP -i dev32684 -s 203.130.193.74 -j ACCEPT ## RULES FOR INCOMING PACKET FROM THE INTERNET # PACKET FOR ESTABLISHED CONNECTIONS -A INPUT -p ALL -d 192.168.1.2 -m state --state ESTABLISHED,RELATED -j ACCEPT ## TCP Rules -A INPUT -p TCP -i eth0 --destination-port 21 -j mars -A INPUT -p TCP -i eht0 --destination-port 22 -j mars -A INPUT -p TCP -i eth0 --destination-port 80 -j mars -A INPUT -p TCP -i eth0 --destination-port 113 -j mars ## UDP rules -A INPUT -p ICMP -i eth0 --icmp-type 8 -j ACCEPT -A INPUT -p ICMP -i eth0 --icmp-type 11 -j ACCEPT ## FORWARD CHAIN RULES -A FORWARD -s 192.168.1.0/24 -j ACCEPT -A FORWARD -d 192.168.1.0/24 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ## OUTPUT CHAIN RULES # ONLY OUTPUT PACKET WITH LOCAL ADDRESSES (NO SPOOFING) -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT -A OUTPUT -p ALL -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT -A OUTPUT -p ALL -s 192.168.1.5 -j ACCEPT #-A OUTPUT -p ALL -d 192.168.1.0/24 -j ACCEPT -A OUTPUT -p ALL -d 203.130.193.74 -j ACCEPT COMMIT *nat ## POSTROUTING chain rules -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.5:3128 -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 #-A POSTROUTING -o eth0 -s 192.168.0.10 -j SNAT --to-source 192.168.1.5 #-A POSTROUTING -j MASQUERADE -s 192.168.0.0/24 -o dev32684 COMMIT #/etc/resolv.conf ; generated by /sbin/dhclient-script search mars1.marsindo.com nameserver 192.168.1.5 # /etc/modprobe.conf alias eth0 sk98lin alias scsi_hostadapter ata_piix alias snd-card-0 snd-emu10k1 options snd-card-0 index=0 install snd-emu10k1 /sbin/modprobe --ignore-install snd-emu10k1 && /usr/sbin/alsactl restore >/dev/null 2>&1 || : remove snd-emu10k1 { /usr/sbin/alsactl store >/dev/null 2>&1 || : ; }; /sbin/modprobe -r --ignore-remove snd-emu10k1 alias snd-card-1 snd-intel8x0 options snd-card-1 index=1 install snd-intel8x0 /sbin/modprobe --ignore-install snd-intel8x0 && /usr/sbin/alsactl restore >/dev/null 2>&1 || : remove snd-intel8x0 { /usr/sbin/alsactl store >/dev/null 2>&1 || : ; }; /sbin/modprobe -r --ignore-remove snd-intel8x0 alias usb-controller ehci-hcd alias usb-controller1 uhci-hcd alias dev32684 8139too #/etc/sysconfig/network-scripts/ifcfg-eth0 # Please read /usr/share/doc/initscripts-*/sysconfig.txt # for the documentation of these parameters. IPV6INIT=no ONBOOT=yes USERCTL=no PEERDNS=yes TYPE=Ethernet DEVICE=eth0 BOOTPROTO=none NETMASK=255.255.255.0 IPADDR=192.168.0.10 GATEWAY=192.168.0.1 #/etc/sysconfig/network-scripts/ifcfg-eth1 # Please read /usr/share/doc/initscripts-*/sysconfig.txt # for the documentation of these parameters. IPV6INIT=no ONBOOT=yes USERCTL=no PEERDNS=yes GATEWAY=192.168.1.1 TYPE=Ethernet DEVICE=dev32684 HWADDR=00:50:ba:8b:d5:55 BOOTPROTO=none NETMASK=255.255.255.0 IPADDR=192.168.1.5 #etc/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.1.1 #/sbin/route default gw 192.168.1.1 #/sbin/ip route add 192.168.0.0/24 via 192.168.1.2 dev dev32684 #sbin/route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 dev32684 192.168.0.0 192.168.1.1 255.255.255.0 UG 0 0 0 dev32684 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 dev32684 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 dev32684 #sbin/ifconfig -a dev32684 Link encap:Ethernet HWaddr 00:50:BA:8B:D5:55 inet addr:192.168.1.5 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::250:baff:fe8b:d555/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:394 errors:0 dropped:0 overruns:0 frame:0 TX packets:255 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:90228 (88.1 KiB) TX bytes:23677 (23.1 KiB) Interrupt:217 Base address:0xd400 eth0 Link encap:Ethernet HWaddr 00:11:2F:52:50:EB inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::211:2fff:fe52:50eb/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:624 (624.0 b) Interrupt:209 Memory:feafc000-0 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1712 errors:0 dropped:0 overruns:0 frame:0 TX packets:1712 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1753775 (1.6 MiB) TX bytes:1753775 (1.6 MiB) sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b #/etc/named.conf . . forward first; forwarder { isp ip address here }; when I ping yahoo.com the ADSL2+ router led is blinking and I guess it is sending something out but had never reached destination or vice versa I had doing this for almost 6 months hence desperately seeking help from this forum. Hoping someone can help me here! |
Unsubscribed.
|
All times are GMT -5. The time now is 07:19 AM. |