iptables -t nat -A POSTROUTING -s $DMZ -o eth0 -j MASQUERADE is the only MASQUERADE that is relavant . $DMZ = 192.168.1.0/24 the hq cisco router sits in the dmz. I have listed below the the rules i have in the fire wall that are relavant iptables -A FORWARD -d 192.168.199.253 -j ACCEPT << doesnt work iptables -A FORWARD -s 192.168.199.253 -j ACCEPT << doesnt work iptables -A FORWARD -d 192.168.200.240 -j ACCEPT << works iptables -A FORWARD -s 192.168.200.240 -j ACCEPT << works iptables -A FORWARD -s 192.168.199.0/24 -j DROP iptables -A FORWARD -s 192.168.200.0/24 -j DROP iptables -A OUTPUT -m state --state NEW -o eth1 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o eth1 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT On 7/24/07, Stuart Murray-Smith <eight32@xxxxxxxxx> wrote:
> I have an fc6 box at hq as router / firewall. > I have a cisco route at the remote site, with 2 ip address on the lan > interface on in the 192.168.199.254/24 and 192.168.200.254/24 from > server 192.168.200.240 i can ping google.com, but for 192.168.199.253 > my tracroute dies on the firewall.. > > both ip ranges have the same iptables rules an routing .. why would > the 192.168.199.253 not be able to access the internet ?? Looks like you're NATing on the .200 subnet and not the .199 subnet What does your MASQUERADE iptable(s) look like? Stu@ -- Then you will know the truth, and the truth will set you free. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
-- Gregory Machin gregory.machin@xxxxxxxxx www.linuxpro.co.za -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list