On Sun, 28 Jun 2015, Brian Miller wrote:
On Sun, 2015-06-28 at 14:50 -0400, Max Pyziur wrote:
I haven't setup the firewall yet (dangerous, I know) until I get the
connectivity working.
I'm obviously overlooking some other configuration settings required for
machines inside the network being able to connect through the
gateway/router.
As others have pointed out, you're either missing a NAT layer or you got
a large enough IP allocation to subnet and you haven't set up routing.
Probably safe to assume it's NAT.
I'd suggest at a minimum you install something like shorewall to assist
in managing your firewall and IP masquerading tasks. It's available in
EPEL, is very well documented, and provides enough built in sanity
checks to protect you against making some silly (and some not so silly)
mistakes in your firewall management.
Thanks to all for pointing me in the direction of iptables and IP
masquerading.
From several sources, code, the stock CentOS iptables I've cobbled the
following
/etc/sysconfig/iptables; while it works, I suspect that there are holes:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
COMMIT
I also seem to need to load
iptable_nat
nf_nat_ftp
via rc.local
Is this correct?
Thank you again,
Max
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos