Re: setup firewall with 3 nic cards

<J.Witvliet@xxxxxxxxx> · Wed, 19 May 2010 10:30:43 +0200

Hi Jerry,

Just a general remark.
When deploying a firewall, it is advisable to have (atleast for input, better for all) to have the general policy set to drop, and only allow in what you expect to be coming in. If you put a "-j log" line as a final line for each section, you'll see every packet you forgot about...

Now the default is "allow", and only doing some SNAT and DNAT rules...

hw

-----Original Message-----
From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Jerry Geis
Sent: Tuesday, May 11, 2010 12:10 AM
To: CentOS ML
Subject:  setup firewall with 3 nic cards

I have a centos box with 3 nics. eth0 is internal, eth1 is T1 data and eth2 is cable data.
Everything is working on eth2 cable. External NAT is working just fine for eth2.
However external address 74.x.x.x on eth1 is not working.

Below is my iptables information.

I setup eth1 same as eth2 just a different IP address of course. What did I miss that
eth1 and NAT is not working?

Just looking for both public IP's incoming to NAT to the correct IP address. Only 1 is working at this time.

Thanks,

Jerry

---------------

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            24.123.23.170       tcp dpt:22 to:192.168.1.209:22 
DNAT       tcp  --  0.0.0.0/0            24.123.23.170       tcp dpt:25 to:192.168.1.209:25 
DNAT       tcp  --  0.0.0.0/0            24.123.23.170       tcp dpt:80 to:192.168.1.209:80 
DNAT       tcp  --  0.0.0.0/0            74.223.8.179        tcp dpt:22 to:192.168.1.58:22
DNAT       tcp  --  0.0.0.0/0            74.223.8.179        tcp dpt:25 to:192.168.1.58:25 
DNAT       tcp  --  0.0.0.0/0            74.223.8.179        tcp dpt:80 to:192.168.1.58:80 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.1.0/24       0.0.0.0/0           to:24.123.23.170 
SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.209       to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1
SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1
SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1 
SNAT       all  --  0.0.0.0/0            192.168.1.58        to:192.168.1.1 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
24.123.23.168   0.0.0.0         255.255.255.248 U     0      0        0 eth2
74.223.8.176    0.0.0.0         255.255.255.240 U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
0.0.0.0         24.123.23.169   0.0.0.0         UG    0      0        0 eth2

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos