Hi
I'trying tro do NAT and Filtering via a transfer network and got a little
problem here, configuration as follows (this is gonna be a lot of
information):
| Internet
------------------
| Cisco-Router |
|213.30.216.41/29|
------------------
|
------------------ (Switch-1 is needed because there
| Switch-1 | will be two more servers in the
------------------ public network.)
|
| eth1 213.30.216.46/29
------------------
| RedHat9-Box |
|for NAT&Firewall|
------------------
| eth0 10.49.0.254/24
|
------------------
| Switch-2 |
------------------
|
| eth0 10.49.0.2/24
-----------------------
| Example Windows Box |
| (Workstations) |
-----------------------
* * * * * * * * * *
IP-configuration of the Redhat9-Box:
/proc/sys/net/ipv4/ip_forward is set to 1
eth0 Link encap:Ethernet HWaddr 00:80:5F:EF:98:61
inet addr:10.49.0.254 Bcast:10.49.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1799 errors:0 dropped:0 overruns:0 frame:0
TX packets:85 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:167870 (163.9 Kb) TX bytes:8172 (7.9 Kb)
Interrupt:9 Base address:0x6400
eth1 Link encap:Ethernet HWaddr 00:50:FC:60:D3:D2
inet addr:213.30.216.46 Bcast:213.30.216.47 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:60937 errors:0 dropped:0 overruns:0 frame:0
TX packets:55418 errors:0 dropped:0 overruns:3 carrier:0
collisions:0 txqueuelen:100
RX bytes:7250217 (6.9 Mb) TX bytes:14255761 (13.5 Mb)
Interrupt:9 Base address:0x1000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3394 errors:0 dropped:0 overruns:0 frame:0
TX packets:3394 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:172834 (168.7 Kb) TX bytes:172834 (168.7 Kb)
Kernel IP routing table:
Destination Gateway Genmask Flags Metric Ref Use
Iface
213.30.216.40 0.0.0.0 255.255.255.248 U 0 0 0 eth1
10.49.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
Iptables-Configuration:
# Generated by iptables-save v1.2.7a on Tue Dec 6 17:35:13 2005
*mangle
:PREROUTING ACCEPT [46:2583]
:INPUT ACCEPT [46:2583]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [42:2120]
:POSTROUTING ACCEPT [42:2120]
COMMIT
# Completed on Tue Dec 6 17:35:13 2005
# Generated by iptables-save v1.2.7a on Tue Dec 6 17:35:13 2005
*nat
:PREROUTING ACCEPT [5:487]
:POSTROUTING ACCEPT [19:1140]
:OUTPUT ACCEPT [19:1140]
# For the moment, the web and mailserver are behind the firewall
-A PREROUTING -i eth1 -p tcp -m tcp --dport 25 -j DNAT --to-destination
10.49.0.252:25
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination
10.49.0.252:80
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j DNAT --to-destination
10.49.0.252:110
-A PREROUTING -i eth1 -p tcp -m tcp --dport 143 -j DNAT --to-destination
10.49.0.252:143
-A POSTROUTING -o eth1 -j SNAT --to-source 213.30.216.46
COMMIT
# Completed on Tue Dec 6 17:35:13 2005
# Generated by iptables-save v1.2.7a on Tue Dec 6 17:35:13 2005
*filter
:INPUT DROP [22:1402]
:FORWARD ACCEPT [1655:671022]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 10001 -m state --state
NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Dec 6 17:35:13 2005
* * * * * * * * * *
I have no access to the configuration of the Cisco-router (ISP-Box).
For the Windows boxes, the gateway is set to eth0 of the Firewall
(10.49.0.254) which is reachable by a ping.
Problem: Nothing in the public network or the internet is reachable from the
private network. Since i can ping as well the public as the private network
from the RedHat-Box, i assume that NAT isn't working.
Question: What did I forget or do wrong?
TIA
Sven
--
10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail
+++ GMX - die erste Adresse für Mail, Message, More +++
