Hi;<br><br>Thanks... I solved this problem also... thank you Alain...<br>Here is my iptables -L result...<br>**********************************************************************************************************************<br>
# iptables -L<br>Chain INPUT (policy ACCEPT)<br>target prot opt source destination <br>DROP tcp -- anywhere <a href="http://192.168.10.13">192.168.10.13</a> tcp dpt:ssh <br>
DROP tcp -- anywhere <a href="http://192.168.10.13">192.168.10.13</a> tcp dpt:ncube-lm <br><br>Chain FORWARD (policy ACCEPT)<br>target prot opt source destination <br>ACCEPT all -- anywhere anywhere <br>
<br>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination <br>**********************************************************************************************************************<br>
<br>how can I change FORWARD policy to accepting only http, https?<br><br>Thanks for all...<br><br>sincerely yours...<br><br><br><br><br><div><span class="gmail_quote">2008/1/29, Alain Spineux <<a href="mailto:aspineux@gmail.com">aspineux@gmail.com</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Jan 28, 2008 8:45 AM, Tolun ARDAHANLI <<a href="mailto:tolun.ardahanli@linux.org.tr">tolun.ardahanli@linux.org.tr</a>> wrote:<br>> Hi guys;<br>><br>> OK let me explain like this...<br>><br>> We had a problem with our General network administration and our General<br>
> network cant be managed so well(Cause of our IT manager is not so good about<br>> administration on our network). that is why i thing that our department's<br>> users must be separated from General LAN(Cause of our Generel LAN effected<br>
> to our working performance). After that we separated our users to another<br>> subnet(192.168.1.xxx).<br>><br>> Right now all of my departments member joined to our server(Centos5.1) and<br>> all of them joins to internet over our server... We solved the problem<br>
> together if you read all mails in this subject...<br>><br>> I thing Only problem is that "our members must not to reach server's<br>> internet side ip(<a href="http://192.168.10.13">192.168.10.13</a>)" am i right for that?<br>
<br><a href="http://192.168.10.13">192.168.10.13</a> and <a href="http://192.168.1.100">192.168.1.100</a> refer the same centos server! Right ?<br>Then this is the default behavior for a linux to answer requests on<br>one interface,<br>
even if the request is for one address on another interface.<br><br>> and<br>> other question is about "how can i stop the ssh service for the internet<br>> side ip(<a href="http://192.168.10.13">192.168.10.13</a>)"?<br>
<br>2 possibilities<br><br>using iptables to reject/drop any packet coming from eth1 (or eth0)<br><br>iptables -t filter -A INPUT -p tcp -i eth1 --dport 22 -j DROP<br><br>Or force sshd to bind only to the internal address, this is<br>
ListenAddress in sshd config: man sshd_config for more<br><br>Regards.<br><br>><br>> I am not a network engineer... I am just a software engineer... I am trying<br>> to do our project on Linux systems... I cant focus so deeply on network<br>
> administration... Only I can do your advise... not else... Cause I can't<br>> spent time for that(I want but I can't)..:(<br>><br>> I hope that I explained it well...;)...<br>><br>> thanks to all...<br>
><br>> sincerely yours...<br>><br>><br>><br>> 2008/1/25, Alain Spineux <<a href="mailto:aspineux@gmail.com">aspineux@gmail.com</a>>:<br>><br>> > On Jan 25, 2008 9:37 AM, Tolun ARDAHANLI <<a href="mailto:tolun.ardahanli@linux.org.tr">tolun.ardahanli@linux.org.tr</a>><br>
> wrote:<br>> > > Thank you for all really I solved the forward/ip sharing problem...<br>> > ><br>> > > But I see there is other problem with that like this;<br>> > ><br>> > > This is my network structure now;<br>
> > > LAN(there are 3machines):<br>> > > start ip:<a href="http://192.168.1.10">192.168.1.10</a><br>> > > end ip: <a href="http://192.168.1.12">192.168.1.12</a><br>> > > gateway address of users: <a href="http://192.168.1.100">192.168.1.100</a> (my server's LAN side ip<br>
> address)<br>> > > LAN side Server ip: <a href="http://192.168.1.100">192.168.1.100</a><br>> > ><br>> > ><br>> > > WAN(this ip comes from behind of swicth. the switch is behind of<br>
> firewall<br>> > > and firewall is behind of router):<br>> > > WAN side Server ip: <a href="http://192.168.10.13">192.168.10.13</a><br>> > > gateway address of Server:<a href="http://192.168.10.1">192.168.10.1</a><br>
> > ><br>> > > And here is the problem i thing;<br>> > > The users from inside(LAN) can reach from server's WAN side<br>> > > ip(<a href="http://192.168.10.13">192.168.10.13</a>) and they can ping it and they can take a services<br>
> which is<br>> > > for LAN services(like ssh...etc).<br>> > ><br>> > > I agree that pinging from LAN to gateway address(<a href="http://192.168.10.1">192.168.10.1</a>). But I<br>> cant<br>
> > > agree that pinging to server's WAN address(<a href="http://192.168.10.13">192.168.10.13</a>). Do I thing<br>> wrong<br>> > > at this point? and last question is about how can I close/stop services<br>
> for<br>> > > WAN side?<br>> ><br>> > I dont understant!<br>> > WHO is (OR CANNOT) pinging <a href="http://192.168.10.13">192.168.10.13</a> or can (OR CANNOT) access the<br>> > service ? LAN or WAN ?<br>
> ><br>> ><br>> > ><br>> > > thanks to all of you...<br>> > ><br>> > > sincerely yours...<br>> > ><br>> > ><br>> > ><br>> > ><br>> > ><br>
> > ><br>> > ><br>> > > 2008/1/24, Alain Spineux <<a href="mailto:aspineux@gmail.com">aspineux@gmail.com</a>>:<br>> > ><br>> > > > On Jan 24, 2008 5:42 AM, Alain Spineux <<a href="mailto:aspineux@gmail.com">aspineux@gmail.com</a>> wrote:<br>
> > > > > On Jan 23, 2008 9:43 AM, Tolun ARDAHANLI<br>> <<a href="mailto:tolun.ardahanli@linux.org.tr">tolun.ardahanli@linux.org.tr</a>><br>> > > wrote:<br>> > > > > > Hi again to everyone;<br>
> > > > > ><br>> > > > > > Guys your mails are very nice... i liked all of them...<br>> > > > > ><br>> > > > > > let me give you about my system and my need(sorry for writing<br>
> these<br>> > > late)...<br>> > > > > ><br>> > > > > > I've got an IBM x3650 server which is open 7d/24h. It has got 2<br>> > > ethernet<br>> > > > > > card. I would like to connect my LAN to WAN over this machine...<br>
> > > > > ><br>> > > > > > LAN(there are 3machines):<br>> > > > > > start ip:<a href="http://192.168.10.10">192.168.10.10</a><br>> > > > > > end ip: <a href="http://192.168.10.12">192.168.10.12</a><br>
> > > > > > gateway address of users:192.168.10.13(my server's LAN side ip<br>> > > address)<br>> > > > > > LAN side Server ip: <a href="http://192.168.10.13">192.168.10.13</a><br>
> > > > > ><br>> > > > > > WAN(this ip comes from behind of swicth. the switch is behind of<br>> > > firewall<br>> > > > > > and firewall is behind of router):<br>
> > > > > > WAN side Server ip: <a href="http://10.10.1.223">10.10.1.223</a><br>> > > > > > gateway address of Server:<a href="http://10.10.1.111">10.10.1.111</a><br>> > > > > ><br>
> > > > > > this is my network chances...:( i cant change them cause our<br>> company<br>> > > has<br>> > > > > > strong rules for these addresses... I want to share my WAN side ip<br>
> > > address<br>> > > > > > to my LAN side...<br>> > > > > ><br>> > > > > > How can I do that on my CENTos installed server?<br>> > > > > ><br>
> > > > > > thanks a lot to everybody...<br>> > > > ><br>> > > > > The short way, supposing your wan is secure and your wan interface<br>> is<br>> > > eth1:<br>> > > > ><br>
> > > > > Disable any firewall rules on your centos,<br>> > > > ><br>> > > > > service iptables stop<br>> > > > > chkconfig iptables off<br>> > > > ><br>
> > > > > try these commands, and if this is working put them in your<br>> > > /etc/init.d/rc.local<br>> > > > ><br>> > > > > # enable forwarding of packet between all interfaces<br>
> > > > > echo 1 > /proc/sys/net/ipv4/ip_forward<br>> > > > > # config masquerading, any packet leaving eth1 will be masqueraded,<br>> > > > > taking eth1 address for source address.<br>
> > > > > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE<br>> > > ><br>> > > > Another interesting way, is to setup only routing on your centos, and<br>> > > > add (ask your network manager) the route<br>
> > > > of your internal network (I guess <a href="http://192.168.10.8/29">192.168.10.8/29</a> through<br>> > > > <a href="http://192.168.10.13">192.168.10.13</a> ) on your firewall and maybe a similar one<br>
> > > > on your router if the firewall is not doing NAT.<br>> > > > Then your firewall administrator can control the access to any of your<br>> > > > internal machines or make some of them reachable<br>
> > > > from outside if for example you want to have a web server or an email<br>> > > > server (this is not a good idea, but you get the idea).<br>> > > > All of this without chnaging anything more on your centos router.<br>
> > > ><br>> > > > To route packet only, without doing NAT (aka MASQUERADING or<br>> HIDE-NAT)<br>> > > > just use<br>> > > > echo 1 > /proc/sys/net/ipv4/ip_forward<br>
> > > ><br>> > > > Regards<br>> > > > ><br>> > > > > Regards.<br>> > > > ><br>> > > > ><br>> > > > > ><br>> > > > > ><br>
> > > > > ><br>> > > > > ><br>> > > > > > 2008/1/22, Dennis McLeod <<a href="mailto:dmcleod@foranyauto.com">dmcleod@foranyauto.com</a> >:<br>> > > > > ><br>
> > > > > > > I have an IPcop box setup at work. Using squidguard to keep<br>> > > customers from<br>> > > > > > > surfing porn while they are in our waiting room. (On a<br>
> completely<br>> > > separate<br>> > > > > > > DSL connection..)<br>> > > > > > ><br>> > > > > > > I have an Astaro Security Gateway setup at home (on a Dell p3<br>
> > > precision<br>> > > > > > > 220). Free home license, do FAR more than your typical broadband<br>> > > router.<br>> > > > > > Not<br>> > > > > > > a small learning curve, though. Wireless is through a D-link<br>
> > > DWL-7100(I<br>> > > > > > > think) access point in the attic.<br>> > > > > > > I have a Linksys wrt54g (original version) with openWRT, but<br>> it's<br>> > > just<br>
> > > > > > there<br>> > > > > > > for backup.....<br>> > > > > > ><br>> > > > > > > Any of the above will accomplish your goal...<br>> > > > > > ><br>
> > > > > > ><br>> > > > > > ><br>> > > > > > ><br>> > > > > > > -----Original Message-----<br>> > > > > > > From: <a href="mailto:centos-bounces@centos.org">centos-bounces@centos.org</a> [mailto:<br>
> <a href="mailto:centos-bounces@centos.org">centos-bounces@centos.org</a>]<br>> > > On<br>> > > > > > Behalf<br>> > > > > > > Of Alain Spineux<br>> > > > > > > Sent: Tuesday, January 22, 2008 6:52 AM<br>
> > > > > > > To: CentOS mailing list<br>> > > > > > > Subject: Re: [CentOS] How can i share my WAN ip to my LAN?<br>> > > > > > ><br>> > > > > > > On Jan 22, 2008 3:17 PM, William L. Maltby <<br>
> > > <a href="mailto:CentOS4Bill@triad.rr.com">CentOS4Bill@triad.rr.com</a>><br>> > > > > > wrote:<br>> > > > > > > > On Tue, 2008-01-22 at 14:49 +0100, Alain Spineux wrote:<br>
> > > > > > > > > On Jan 22, 2008 8:46 AM, Tolun ARDAHANLI <<br>> > > > > > <a href="mailto:tolun.ardahanli@linux.org.tr">tolun.ardahanli@linux.org.tr</a>><br>> > > > > > > wrote:<br>
> > > > > > > > > > Hi everybody...<br>> > > > > > > > > ><br>> > > > > > > > > > How can I share my WAN ip to my LAN? How can I do that I<br>
> > > really<br>> > > > > > > > > > dont know...:( I am using linux long time ago but this<br>> kind I<br>> > > > > > > > > > would like to do newly...<br>
> > > > > > > > ><br>> > > > > > > > > Buy a small router/modem, ask your ISP for suggestions.<br>> > > > > > > > > This is cheap (<100$), no need to keep your computer always<br>
> > > turned<br>> > > > > > > > > on, very easy to configure if you nead more features (port<br>> > > > > > > > > forwarding for skype, games, p2p, ....), have some builtint<br>
> > > feature<br>> > > > > > > > > (dhcp, DNS proxy). Also think about wireless ......<br>> > > > > > > > > This is probably more secure, not because centos/linux is<br>
> not,<br>> > > but<br>> > > > > > > > > because you dont know what you are doing.<br>> > > > > > > > ><br>> > > > > > > > > Of course this is less fun<br>
> > > > > > > ><br>> > > > > > > > Well, I wasn't going to suggest, but since the topic of<br>> > > alternatives<br>> > > > > > > > is open...<br>
> > > > > > ><br>> > > > > > > :-)<br>> > > > > > ><br>> > > > > > > Of course the main idea is to avoid to have a non firewall<br>> dedicated<br>
> > > linux<br>> > > > > > > (like centos is) configured by someone without to much network<br>> > > knowledge<br>> > > > > > be<br>> > > > > > > in front of Internet.<br>
> > > > > > ><br>> > > > > > > ><br>> > > > > > > > If you have an older available computer laying around, check<br>> out<br>> > > IPCop<br>
> > > > > > > ><br>> > > > > > > > <a href="http://www.ipcop.org/">http://www.ipcop.org/</a><br>> > > > > > > ><br>> > > > > > > > free, has lots of features, runs reliably, I've been on it for<br>
> > > years,<br>> > > > > > > > as have others on this list. Biggest gripe I have is docs<br>> could be<br>> > > a<br>> > > > > > > > little better - they tend to not get updated to stay up with<br>
> the<br>> > > > > > software.<br>> > > > > > > ><br>> > > > > > > > ><br>> > > > > > > > > Regards.<br>> > > > > > > > ><br>
> > > > > > > > > ><br>> > > > > > > > > > Can anybody help me about IP sharing in Centos?<br>> > > > > > > > > ><br>> > > > > > > > > > thanks alot...<br>
> > > > > > > > > ><br>> > > > > > > > > ><br>> > > > > > > > > > --<br>> > > > > > > > > > Tolun ARDAHANLI<br>
> > > > > > > > > > Bilgisayar Muhendisi<br>> > > > > > > > > > E-posta: <a href="mailto:tolun.ardahanli@linux.org.tr">tolun.ardahanli@linux.org.tr</a><br>> > > > > > > > > > Icq:326600<br>
> > > > > > > > > ><br>> > > > > > > > > ><br>> > > ------------------------------------------------------------------<br>> > > > > > > > > > ----------<br>
> > > > > > > > > ><br>> > > > > > > > > > Tolun ARDAHANLI<br>> > > > > > > > > > Computer Engineer<br>> > > > > > > > > > E-mail:<a href="mailto:tolun.ardahanli@linux.org.tr">tolun.ardahanli@linux.org.tr</a><br>
> > > > > > > > > > Icq:326600<br>> > > > > > > > > ><snip sig stuff><br>> > > > > > > ><br>> > > > > > > > HTH<br>
> > > > > > > > --<br>> > > > > > > > Bill<br>> > > > > > > ><br>> > > > > > > ><br>> > > > > > > > _______________________________________________<br>
> > > > > > > > CentOS mailing list<br>> > > > > > > > <a href="mailto:CentOS@centos.org">CentOS@centos.org</a><br>> > > > > > > > <a href="http://lists.centos.org/mailman/listinfo/centos">http://lists.centos.org/mailman/listinfo/centos</a><br>
> > > > > > > ><br>> > > > > > ><br>> > > > > > ><br>> > > > > > ><br>> > > > > > > --<br>> > > > > > > Alain Spineux<br>
> > > > > > > aspineux gmail com<br>> > > > > > > May the sources be with you<br>> > > > > > > _______________________________________________<br>> > > > > > > CentOS mailing list<br>
> > > > > > > <a href="mailto:CentOS@centos.org">CentOS@centos.org</a><br>> > > > > > > <a href="http://lists.centos.org/mailman/listinfo/centos">http://lists.centos.org/mailman/listinfo/centos</a><br>
> > > > > > ><br>> > > > > > > _______________________________________________<br>> > > > > > > CentOS mailing list<br>> > > > > > > <a href="mailto:CentOS@centos.org">CentOS@centos.org</a><br>
> > > > > > > <a href="http://lists.centos.org/mailman/listinfo/centos">http://lists.centos.org/mailman/listinfo/centos</a><br>> > > > > > ><br>> > > > > ><br>> > > > > ><br>
> > > > > ><br>> > > > > > --<br>> > > > > ><br>> > > > > ><br>> > > > > > Tolun ARDAHANLI<br>> > > > > > Bilgisayar Muhendisi<br>
> > > > > > E-posta:<a href="mailto:tolun.ardahanli@linux.org.tr">tolun.ardahanli@linux.org.tr</a><br>> > > > > > Icq:326600<br>> > > > > ><br>> > > > > ><br>
> > ><br>> ----------------------------------------------------------------------------<br>> > > > > ><br>> > > > > > Tolun ARDAHANLI<br>> > > > > > Computer Engineer<br>
> > > > > > E-mail:<a href="mailto:tolun.ardahanli@linux.org.tr">tolun.ardahanli@linux.org.tr</a><br>> > > > > > Icq:326600<br>> > > > > > _______________________________________________<br>
> > > > > > CentOS mailing list<br>> > > > > > <a href="mailto:CentOS@centos.org">CentOS@centos.org</a><br>> > > > > > <a href="http://lists.centos.org/mailman/listinfo/centos">http://lists.centos.org/mailman/listinfo/centos</a><br>
> > > > > ><br>> > > > > ><br>> > > > ><br>> > > > ><br>> > > > ><br>> > > > > --<br>> > > > > Alain Spineux<br>
> > > > > aspineux gmail com<br>> > > > > May the sources be with you<br>> > > > ><br>> > > ><br>> > > ><br>> > > ><br>> > > > --<br>
> > > > Alain Spineux<br>> > > > aspineux gmail com<br>> > > > May the sources be with you<br>> > > > _______________________________________________<br>> > > > CentOS mailing list<br>
> > > > <a href="mailto:CentOS@centos.org">CentOS@centos.org</a><br>> > > > <a href="http://lists.centos.org/mailman/listinfo/centos">http://lists.centos.org/mailman/listinfo/centos</a><br>> > > ><br>
> > ><br>> > ><br>> > ><br>> > ><br>> > > --<br>> > > Tolun ARDAHANLI<br>> > > Bilgisayar Muhendisi<br>> > > E-posta:<a href="mailto:tolun.ardahanli@linux.org.tr">tolun.ardahanli@linux.org.tr</a><br>
> > > Icq:326600<br>> > ><br>> > ><br>> ----------------------------------------------------------------------------<br>> > ><br>> > > Tolun ARDAHANLI<br>> > > Computer Engineer<br>
> > > E-mail:<a href="mailto:tolun.ardahanli@linux.org.tr">tolun.ardahanli@linux.org.tr</a><br>> > > Icq:326600<br>> > > _______________________________________________<br>> > > CentOS mailing list<br>
> > > <a href="mailto:CentOS@centos.org">CentOS@centos.org</a><br>> > > <a href="http://lists.centos.org/mailman/listinfo/centos">http://lists.centos.org/mailman/listinfo/centos</a><br>> > ><br>
> > ><br>> ><br>> ><br>> ><br>> > --<br>> > Alain Spineux<br>> > aspineux gmail com<br>> > May the sources be with you<br>> > _______________________________________________<br>
> > CentOS mailing list<br>> > <a href="mailto:CentOS@centos.org">CentOS@centos.org</a><br>> > <a href="http://lists.centos.org/mailman/listinfo/centos">http://lists.centos.org/mailman/listinfo/centos</a><br>
> ><br>><br>><br>><br>><br>> --<br>> Tolun ARDAHANLI<br>> Bilgisayar Muhendisi<br>> E-posta:<a href="mailto:tolun.ardahanli@linux.org.tr">tolun.ardahanli@linux.org.tr</a><br>> Icq:326600<br>
><br>> ----------------------------------------------------------------------------<br>><br>> Tolun ARDAHANLI<br>> Computer Engineer<br>> E-mail:<a href="mailto:tolun.ardahanli@linux.org.tr">tolun.ardahanli@linux.org.tr</a><br>
> Icq:326600<br>> _______________________________________________<br>> CentOS mailing list<br>> <a href="mailto:CentOS@centos.org">CentOS@centos.org</a><br>> <a href="http://lists.centos.org/mailman/listinfo/centos">http://lists.centos.org/mailman/listinfo/centos</a><br>
><br>><br><br><br><br>--<br>Alain Spineux<br>aspineux gmail com<br>May the sources be with you<br>_______________________________________________<br>CentOS mailing list<br><a href="mailto:CentOS@centos.org">CentOS@centos.org</a><br>
<a href="http://lists.centos.org/mailman/listinfo/centos">http://lists.centos.org/mailman/listinfo/centos</a><br></blockquote></div><br><br clear="all"><br>-- <br>Tolun ARDAHANLI<br>Bilgisayar Muhendisi<br>E-posta:<a href="mailto:tolun.ardahanli@linux.org.tr">tolun.ardahanli@linux.org.tr</a><br>
Icq:326600<br><br>----------------------------------------------------------------------------<br><br>Tolun ARDAHANLI<br>Computer Engineer<br>E-mail:<a href="mailto:tolun.ardahanli@linux.org.tr">tolun.ardahanli@linux.org.tr</a><br>
Icq:326600