Re: Centos firewall/router issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Hey everyone, Thanks for hte suggestions. It did turn out to be my
rules. I had used one of fwbuilders templates, and it was killing my
outbound. I had actually taken one of my previous baremetals fwbuilder
files that was known to work on another firewall, and used that one as
a basis, and it was good to go. I had a few other oddities as well,
that i suspect are unique to my machine for some reason... when
running fwbuilder through a ssh session, the script did not install
right. When I rean the same one from the FW itself, it installed
properly, and all was ok.

So my basic issue is resolved, with a few that are non centos related.

Thanks again!



On 2/22/07, John R Pierce <pierce@xxxxxxxxxxxx> wrote:

Dustin Krysak wrote:
> Good day everyone. Today has been "one of those..." days. So I have a
> feeling this is just a brain lapse here.
>
> At any rate, I am setting up a firewall/router using centos 4.4
> (minimal install, yummed up to date).
>
> I have in fact enables V4 ip forwarding (by editing /etc/sysctl.conf)
> and rebooted the system. I use fwbuilder for my rules, and at this
> point have a next to nothing set of rules. a DHCP server is also
> residing on this router.
> ...
> Now the issue is, I can not get out of the internal network to the
> internet for any traffic. Pings (by ip and name), web sites, etc.


sounds like you're trying to do a 'NAT' (network address translation)
network, where you're local network is on private IP space (192.168.x.y
or 10.x.x.x or whatever), and you're sharing a single public IP.   this
requires several very specific and moderately complex rules to implement
what Linux calls 'MASQUERADE', and you need to load the ip_conntrack
module into the kernel, and probably a few more.


at a BARE minimum, you need some variant on these two rules...

   iptables --table nat --append POSTROUTING --out-interface $WAN -j MASQUERADE
   iptables --append FORWARD --in-interface $LAN -j ACCEPT


(where $WAN, $LAN are eth0, eth1, or whatever your internet and local
interfaces are)


if you google for: LINUX MASQUERADE, you'll find all sorts of confusing
info on this :)


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux