| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 64911 | 2006-01-02 00:37:00 | Gateway won't let client out | hamstar (4) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 417232 | 2006-01-02 00:37:00 | hey guys, got my dialup connection working right, but now I can't gateway to it from my main box. The gateway box is a fc3 console, and the main box is an opensuse 10 desktop. Routing tables are as follows: fc3 gateway box (192.168.0.1): 202.89.136.1 * 255.255.255.255 UG ppp0 192.168.0.0 * 255.255.255.0 U eth0 169.254.0.0 * 255.255.0.0 U eth0 0.0.0.0 202.89.136.1 0.0.0.0 UH ppp0 os10 main box (192.168.0.11): 192.168.0.1 0.0.0.0 255.255.255.255 UH eth0 192.168.0.0 0.0.0.0 255.255.255.0 U eth0 169.254.0.0 0.0.0.0 255.255.0.0 U eth0 127.0.0.0 0.0.0.0 255.0.0.0 U lo 0.0.0.0 192.168.0.1 0.0.0.0 UG eth0 network: 192.168.0.0 quicksilver: 202.89.136.1 domain: site Can ping everything locally, can ping externally from gateway but can't ping externally from desktop box... 192.168.0.1 => 192.168.0.11 192.168.0.11 => 192.168.0.1 192.168.0.1 => 202.89.136.1 192.168.0.11 =X 202.89.136.1 ipforwarding is enabled in /etc/sysctl.conf eth0 is set to trusted device in system-config-securitylevel Anyone know whats going on? cheers |
hamstar (4) | ||
| 417233 | 2006-01-02 02:56:00 | umm... help? | hamstar (4) | ||
| 417234 | 2006-01-02 05:51:00 | What are your iptables rules? Do a search by my name, i posted a short .sh script you can run which will FWD the connections for you... I believe it was in reply to Personthingy's post... Have a look through my history anyways :) |
Chilling_Silence (9) | ||
| 417235 | 2006-01-03 02:45:00 | can't find it anywhere dude... neither the vbulletin or google search finds it... and you have a ****eload of posts.... |
hamstar (4) | ||
| 417236 | 2006-01-04 00:18:00 | nevermind... on the right track now :D www.redhat.com |
hamstar (4) | ||
| 417237 | 2006-01-04 19:57:00 | For future reference to anyone: Save this as a script or run the commands by hand. #!/bin/bash # Block all traffic by default iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Allow all traffic on eth0 iptables -A INPUT -i etho -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -j ACCEPT iptables -A FORWARD -o eth0 -j ACCEPT # Allow the server to route packets externally (activate NAT) iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # Allow http and https iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT # Save settings to file service iptables save If you want to allow other services such as pop3 (port 110), smtp (25), and ftp (21) you'll have to add sport and dport like the others are with their respective ports. service iptables save will only work with fedora core (and redhat?) that i've seen. I think the generic command would be /etc/init.d/iptables save. hope this helps someone. |
hamstar (4) | ||
| 417238 | 2006-01-04 20:12:00 | My debian router doesn't need to masquerade because it's behind an ADSL modem, which itself provides NAT functionality. Hence I only need it to a) block all ports and b) forward ones I like. So if you want to forward ports, use this syntax: iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 49995:50000 -j DNAT --to 192.168.0.100:49995-50000 Here I have forwarded all incoming traffic on ports in the range 49995 to 50000 from interface eth1 (internet side) to local machine 192.168.0.100's corresponding ports. |
Growly (6) | ||
| 417239 | 2006-01-04 23:28:00 | Not using stateful capabilities of iptables? Tsk tsk... | vinref (6194) | ||
| 417240 | 2006-01-05 00:23:00 | stateful capabilities? i think i touched on that but it looked very complicated... will look again soon... | hamstar (4) | ||
| 1 | |||||