Been working this for over a month now and I'm stumped.
Everything was working until the 'crash'. Backup was no good so I did a fresh install of centos 5.5. Trying to get things back like they were but its been a really long time since I had to set things up from scratch, Redhat 2.0.
My centos server acts as a gateway/firewall/router for my home network. Internal machines can access the internet. The server can access the internet. I can access my server/services from outside the local network but internal machines cannot.
Any ideas/suggestions?
Thanks,
--Eddie
Do u have ipv4 forwarding on in your /etc/syscttl
Sent from my iPhone
On Jul 5, 2010, at 7:00 PM, "Thomas Dukes" tdukes@sc.rr.com wrote:
Been working this for over a month now and I'm stumped.
Everything was working until the 'crash'. Backup was no good so I did a fresh install of centos 5.5. Trying to get things back like they were but its been a really long time since I had to set things up from scratch, Redhat 2.0.
My centos server acts as a gateway/firewall/router for my home network. Internal machines can access the internet. The server can access the internet. I can access my server/services from outside the local network but internal machines cannot.
Any ideas/suggestions?
Thanks,
--Eddie
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Cliff Sent: Monday, July 05, 2010 8:05 PM To: CentOS mailing list Subject: Re: [CentOS] DNS or firewall problem
Do u have ipv4 forwarding on in your /etc/syscttl
Sent from my iPhone
Uhhh, in /etc/sysctl.conf,
net.ipv4.conf.ip_forward = 0 ??
change to = 1 ??
--Eddie
On Jul 5, 2010, at 7:00 PM, "Thomas Dukes" tdukes@sc.rr.com wrote:
Been working this for over a month now and I'm stumped.
Everything was working until the 'crash'. Backup was no
good so I did
a fresh install of centos 5.5. Trying to get things back like they were but its been a really long time since I had to set
things up from
scratch, Redhat 2.0.
My centos server acts as a gateway/firewall/router for my home network. Internal machines can access the internet. The server can
access the
internet. I can access my server/services from outside the local network but internal machines cannot.
Any ideas/suggestions?
Thanks,
--Eddie
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tuesday, July 06, 2010 08:12 AM, Thomas Dukes wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Cliff Sent: Monday, July 05, 2010 8:05 PM To: CentOS mailing list Subject: Re: [CentOS] DNS or firewall problem
Do u have ipv4 forwarding on in your /etc/syscttl
Sent from my iPhone
Uhhh, in /etc/sysctl.conf,
net.ipv4.conf.ip_forward = 0 ??
change to = 1 ??
Are you running a proxy for http? It would be rather surprising that internal machines can access the Internet without forwarding turned on otherwise. When you say internal machines cannot access your server, are they connecting to it via the local interface's ip or the Internet ip? Are the services bound to the local interface?
--Eddie
On Jul 5, 2010, at 7:00 PM, "Thomas Dukes"tdukes@sc.rr.com wrote:
Been working this for over a month now and I'm stumped.
Everything was working until the 'crash'. Backup was no
good so I did
a fresh install of centos 5.5. Trying to get things back like they were but its been a really long time since I had to set
things up from
scratch, Redhat 2.0.
My centos server acts as a gateway/firewall/router for my home network. Internal machines can access the internet. The server can
access the
internet. I can access my server/services from outside the local network but internal machines cannot.
Any ideas/suggestions?
Thanks,
--Eddie
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Christopher Chan Sent: Monday, July 05, 2010 8:42 PM To: centos@centos.org Subject: Re: [CentOS] DNS or firewall problem
On Tuesday, July 06, 2010 08:12 AM, Thomas Dukes wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Cliff Sent: Monday, July 05, 2010 8:05 PM To: CentOS mailing list Subject: Re: [CentOS] DNS or firewall problem
Do u have ipv4 forwarding on in your /etc/syscttl
Sent from my iPhone
Uhhh, in /etc/sysctl.conf,
net.ipv4.conf.ip_forward = 0 ??
change to = 1 ??
Are you running a proxy for http? It would be rather surprising that internal machines can access the Internet without forwarding turned on otherwise. When you say internal machines cannot access your server, are they connecting to it via the local interface's ip or the Internet ip? Are the services bound to the local interface?
I did notice today there is a squid.conf file in my /etc/httpd/conf.d directory. It appears it is configure for the local domain only. I renamed it and restarted apache but that didn't work.
The server has two nics, one for internet and one for the local network, connected to a switch. eth0 is connected to the uplink port.
Are you running a proxy for http? It would be rather surprising that internal machines can access the Internet without forwarding turned on otherwise. When you say internal machines cannot access your server, are they connecting to it via the local interface's ip or the Internet ip? Are the services bound to the local interface?
I did notice today there is a squid.conf file in my /etc/httpd/conf.d directory. It appears it is configure for the local domain only. I renamed it and restarted apache but that didn't work.
The server has two nics, one for internet and one for the local network, connected to a switch. eth0 is connected to the uplink port.
Please pastebin the output of the following: Run as root: 'cat /etc/sysconfig/iptables' 'netstat -ntlp'
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Chan Chung Hang Christopher Sent: Tuesday, July 06, 2010 9:28 AM To: centos@centos.org Subject: Re: [CentOS] DNS or firewall problem
Are you running a proxy for http? It would be rather
surprising that
internal machines can access the Internet without
forwarding turned
on otherwise. When you say internal machines cannot access your server, are they connecting to it via the local
interface's ip or the
Internet ip? Are the services bound to the local interface?
I did notice today there is a squid.conf file in my
/etc/httpd/conf.d
directory. It appears it is configure for the local domain only. I renamed it and restarted apache but that didn't work.
The server has two nics, one for internet and one for the local network, connected to a switch. eth0 is connected to the
uplink port.
Please pastebin the output of the following: Run as root: 'cat /etc/sysconfig/iptables'
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
'netstat -ntlp'
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 3580/perl tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2960/hpiod tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3138/mysqld tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 3049/clamd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2667/portmap tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 3958/X tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 3588/perl tcp 0 0 192.168.1.101:53 0.0.0.0:* LISTEN 2639/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2639/named tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2980/cupsd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 3218/sendmail: acce tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2639/named tcp 0 0 0.0.0.0:766 0.0.0.0:* LISTEN 2704/rpc.statd tcp 0 0 0.0.0.0:3551 0.0.0.0:* LISTEN 3032/apcupsd tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 2965/python tcp 0 0 :::80 :::* LISTEN 5464/httpd tcp 0 0 :::6000 :::* LISTEN 3958/X tcp 0 0 ::1:953 :::* LISTEN 2639/named tcp 0 0 :::443 :::* LISTEN 5464/httpd
Not sure what all this means. Hope someone can.
Thanks!!
Eddie
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended.
ugh...fwbuilder crap...oh well.
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
Seriously? Them two are redundant since you already accept everything on lo.
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Hmm...you do not appear to have a blanket accept for your internal interface. What services are supposed to be open to the internal lan?
'netstat -ntlp'
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 3580/perl tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2960/hpiod tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3138/mysqld tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 3049/clamd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2667/portmap tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 3958/X tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 3588/perl tcp 0 0 192.168.1.101:53 0.0.0.0:* LISTEN 2639/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2639/named tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2980/cupsd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 3218/sendmail: acce tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2639/named tcp 0 0 0.0.0.0:766 0.0.0.0:* LISTEN 2704/rpc.statd tcp 0 0 0.0.0.0:3551 0.0.0.0:* LISTEN 3032/apcupsd tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 2965/python tcp 0 0 :::80 :::* LISTEN 5464/httpd tcp 0 0 :::6000 :::* LISTEN 3958/X tcp 0 0 ::1:953 :::* LISTEN 2639/named tcp 0 0 :::443 :::* LISTEN 5464/httpd
Not sure what all this means. Hope someone can.
You should be able to connect to the web service from the internal lan using the internal ip and also to the smtp service. But I guess your web service is probably apache doing proxy work unless you have a different meaning to 'internal boxes can access the internet'...
What services were internal boxes supposed to be able to access again? webmin? mysql? dns?
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Christopher Chan Sent: Tuesday, July 06, 2010 9:13 PM To: centos@centos.org Subject: Re: [CentOS] DNS or firewall problem
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended.
ugh...fwbuilder crap...oh well.
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A
RH-Firewall-1-INPUT -p icmp
--icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A
RH-Firewall-1-INPUT -p udp -m
udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m
tcp --dport
631 -j ACCEPT
Seriously? Them two are redundant since you already accept everything on lo.
I didn't do that. :-)
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 21
-j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A
RH-Firewall-1-INPUT
-m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 445 -j
ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state
--state NEW -m
tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Hmm...you do not appear to have a blanket accept for your internal interface. What services are supposed to be open to the internal lan?
Really just intersted in web, ftp and maybe samba
'netstat -ntlp'
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 3580/perl tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2960/hpiod tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3138/mysqld tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 3049/clamd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2667/portmap tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 3958/X tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 3588/perl tcp 0 0 192.168.1.101:53 0.0.0.0:* LISTEN 2639/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2639/named tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2980/cupsd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 3218/sendmail: acce tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2639/named tcp 0 0 0.0.0.0:766 0.0.0.0:* LISTEN 2704/rpc.statd tcp 0 0 0.0.0.0:3551 0.0.0.0:* LISTEN 3032/apcupsd tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 2965/python tcp 0 0 :::80 :::* LISTEN 5464/httpd tcp 0 0 :::6000 :::* LISTEN 3958/X tcp 0 0 ::1:953 :::* LISTEN 2639/named tcp 0 0 :::443 :::* LISTEN 5464/httpd
Not sure what all this means. Hope someone can.
You should be able to connect to the web service from the internal lan using the internal ip and also to the smtp service. But I guess your web service is probably apache doing proxy work unless you have a different meaning to 'internal boxes can access the internet'...
What services were internal boxes supposed to be able to access again? webmin? mysql? dns?
Not really relying on my server for dns for the local machines, just for local services, ftp, webmin, local web. I'm not on a commercial account with my isp so 'external' mail is not an issue.
I have most services turned off but can activate them , remotely, from webmin if I need ssh or ftp.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hmm...you do not appear to have a blanket accept for your internal interface. What services are supposed to be open to the internal lan?
Really just intersted in web, ftp and maybe samba
Well, the rules do accept connections for them three so no problem here.
Not really relying on my server for dns for the local machines, just for local services, ftp, webmin, local web. I'm not on a commercial account with my isp so 'external' mail is not an issue.
ftp is not running, webmin is blocked. You should be able to connect to apache. samba is not running either.
I have most services turned off but can activate them , remotely, from webmin if I need ssh or ftp.
Well, I guess you first need to allow connections to webmin (from INSIDE - even if you are absolutely certain no one can guess your password) unless you are only going to do it from the desktop on the box. No rules for ssh so you will need to add them if you do enable ssh.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Christopher Chan Sent: Tuesday, July 06, 2010 10:31 PM To: centos@centos.org Subject: Re: [CentOS] DNS or firewall problem
Hmm...you do not appear to have a blanket accept for your internal interface. What services are supposed to be open to the
internal lan?
Really just intersted in web, ftp and maybe samba
Well, the rules do accept connections for them three so no problem here.
Not really relying on my server for dns for the local
machines, just
for local services, ftp, webmin, local web. I'm not on a commercial account with my isp so 'external' mail is not an issue.
ftp is not running, webmin is blocked. You should be able to connect to apache. samba is not running either.
ftp is turned off. Samba, I thought was running but haven't tried to set it up as I was more interested in just accessing web services, locally.
I have most services turned off but can activate them ,
remotely, from
webmin if I need ssh or ftp.
Well, I guess you first need to allow connections to webmin (from INSIDE
- even if you are absolutely certain no one can guess your
password) unless you are only going to do it from the desktop on the box. No rules for ssh so you will need to add them if you do enable ssh.
I can ssh in remotely but don't have a need for it locally. I can access webmin remotely but not from a local machine. I see no need for my server to use additional resources for the x window environment. I don't use webmin that much except when I need to turn a service on or off remotely or want to upload a file to the server without having to turn of ftp.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I have most services turned off but can activate them ,
remotely, from
webmin if I need ssh or ftp.
Well, I guess you first need to allow connections to webmin (from INSIDE
- even if you are absolutely certain no one can guess your
password) unless you are only going to do it from the desktop on the box. No rules for ssh so you will need to add them if you do enable ssh.
I can ssh in remotely but don't have a need for it locally. I can access webmin remotely but not from a local machine. I see no need for my server to use additional resources for the x window environment. I don't use webmin that much except when I need to turn a service on or off remotely or want to upload a file to the server without having to turn of ftp.
You can access webmin remotely? That contradicts the iptables rules you posted...
If you can ssh in remotely then that also contradicts both the rules and the list of ports that have a daemon bound to them. No sshd nor anything bound to port 22.
You might want to turn off X/gdm then...that is what is listening on port 6000.
Thomas Dukes wrote:
Do u have ipv4 forwarding on in your /etc/syscttl
Uhhh, in /etc/sysctl.conf,
net.ipv4.conf.ip_forward = 0 ??
change to = 1 ??
I have more or less the same setup as you, and I have net.ipv4.conf.ip_forward = 0 in /etc/sysctl like you, but I have no problem accessing my server from my laptop.
I am running shorewall, and it would be easy to set this up to have the effect you describe.
I have the line loc $FW ACCEPT in /etc/shorewall/policy . The default is loc $FW REJECT info which would have the effect you describe.
Nb I don't really understand iptables, but I find shorewall does most of the thinking for me.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Timothy Murphy Sent: Monday, July 05, 2010 10:11 PM To: centos@centos.org Subject: Re: [CentOS] DNS or firewall problem
Thomas Dukes wrote:
Do u have ipv4 forwarding on in your /etc/syscttl
Uhhh, in /etc/sysctl.conf,
net.ipv4.conf.ip_forward = 0 ??
change to = 1 ??
I have more or less the same setup as you, and I have net.ipv4.conf.ip_forward = 0 in /etc/sysctl like you, but I have no problem accessing my server from my laptop.
I am running shorewall, and it would be easy to set this up to have the effect you describe.
I have the line loc $FW ACCEPT in /etc/shorewall/policy . The default is loc $FW REJECT info which would have the effect you describe.
Nb I don't really understand iptables, but I find shorewall does most of the thinking for me.
I use the iptables firewall rules in the linux ip masquerade howto. Been using it for years without a hitch.
http://www.tldp.org/HOWTO/html_single/IP-Masquerade-HOWTO/#RC.FIREWALL-IPTAB LES-STRONGER
I looked at shorewall some time ago but like you, I was confused with iptables.
yea that needs to be a 1
On Mon, Jul 5, 2010 at 8:12 PM, Thomas Dukes tdukes@sc.rr.com wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Cliff Sent: Monday, July 05, 2010 8:05 PM To: CentOS mailing list Subject: Re: [CentOS] DNS or firewall problem
Do u have ipv4 forwarding on in your /etc/syscttl
Sent from my iPhone
Uhhh, in /etc/sysctl.conf,
net.ipv4.conf.ip_forward = 0 ??
change to = 1 ??
--Eddie
On Jul 5, 2010, at 7:00 PM, "Thomas Dukes" tdukes@sc.rr.com wrote:
Been working this for over a month now and I'm stumped.
Everything was working until the 'crash'. Backup was no
good so I did
a fresh install of centos 5.5. Trying to get things back like they were but its been a really long time since I had to set
things up from
scratch, Redhat 2.0.
My centos server acts as a gateway/firewall/router for my home network. Internal machines can access the internet. The server can
access the
internet. I can access my server/services from outside the local network but internal machines cannot.
Any ideas/suggestions?
Thanks,
--Eddie
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
_____
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of cliff here Sent: Monday, July 05, 2010 10:56 PM To: CentOS mailing list Subject: Re: [CentOS] DNS or firewall problem
yea that needs to be a 1
Thanks,
I'll give that a try.
cliff here wrote:
net.ipv4.conf.ip_forward = 0 ??
change to = 1 ??
yea that needs to be a 1
That cannot be mandatory, as I have a 0 there and do not have the OP's problem.
As I mentioned, the default in shorewall is that loc to $FW, ie connection from machines on the local LAN to server, is set to REJECT. Maybe that is the default in the iptables setting too?
Well if you want the kernel to route IPV4 traffic, then yes it has to be 1
On 7/6/10, Timothy Murphy gayleard@eircom.net wrote:
cliff here wrote:
net.ipv4.conf.ip_forward = 0 ??
change to = 1 ??
yea that needs to be a 1
That cannot be mandatory, as I have a 0 there and do not have the OP's problem.
As I mentioned, the default in shorewall is that loc to $FW, ie connection from machines on the local LAN to server, is set to REJECT. Maybe that is the default in the iptables setting too?
-- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
cliff here wrote:
Well if you want the kernel to route IPV4 traffic, then yes it has to be 1
net.ipv4.conf.ip_forward = 0 ??
change to = 1 ??
yea that needs to be a 1
That cannot be mandatory, as I have a 0 there and do not have the OP's problem.
You've changed the question. The OP did not say he wanted "to route IPV4 traffic". He said he could not access his server from local machines.
Are you saying you must have the setting you mention in /etc/sysctl.conf ? That cannot be true, as I can access my server and I don't have your entry.
On Tue, Jul 06, 2010 at 09:19:41PM +0100, Timothy Murphy wrote:
cliff here wrote:
Well if you want the kernel to route IPV4 traffic, then yes it has to be 1
net.ipv4.conf.ip_forward = 0 ??
change to = 1 ??
yea that needs to be a 1
That cannot be mandatory, as I have a 0 there and do not have the OP's problem.
You've changed the question. The OP did not say he wanted "to route IPV4 traffic". He said he could not access his server from local machines.
Are you saying you must have the setting you mention in /etc/sysctl.conf ? That cannot be true, as I can access my server and I don't have your entry.
Check your iptables rules. Maybe there are no INPUT rules to access your gateway via internal nic.
Dominik Zyla wrote:
Are you saying you must have the setting you mention in /etc/sysctl.conf ? That cannot be true, as I can access my server and I don't have your entry.
Check your iptables rules. Maybe there are no INPUT rules to access your gateway via internal nic.
I don't see the relevance of that. I never said I had or didn't have any iptables rules. I'm simply observing that I do not have the specified setting and I can access my server from my LAN, therefore the setting cannot be essential for this purpose.
I can access the server because I have loc $FW ACCEPT in /etc/shorewall/policy; but that is not really relevant to the point at issue.
enable ipv4_forwarding in /etc/sysctl.conf
# service iptables start
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
eth0 is the interface connected to modem.
On 6 July 2010 04:30, Thomas Dukes tdukes@sc.rr.com wrote:
Been working this for over a month now and I'm stumped.
Everything was working until the 'crash'. Backup was no good so I did a fresh install of centos 5.5. Trying to get things back like they were but its been a really long time since I had to set things up from scratch, Redhat 2.0.
My centos server acts as a gateway/firewall/router for my home network. Internal machines can access the internet. The server can access the internet. I can access my server/services from outside the local network but internal machines cannot.
Any ideas/suggestions?
Thanks,
--Eddie
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
echo 1 > /proc/sys/net/ipv4/ip_forward
On 6 July 2010 21:17, Basil Kurian basilkurian@gmail.com wrote:
enable ipv4_forwarding in /etc/sysctl.conf
# service iptables start
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
eth0 is the interface connected to modem.
On 6 July 2010 04:30, Thomas Dukes tdukes@sc.rr.com wrote:
Been working this for over a month now and I'm stumped.
Everything was working until the 'crash'. Backup was no good so I did a fresh install of centos 5.5. Trying to get things back like they were but its been a really long time since I had to set things up from scratch, Redhat 2.0.
My centos server acts as a gateway/firewall/router for my home network. Internal machines can access the internet. The server can access the internet. I can access my server/services from outside the local network but internal machines cannot.
Any ideas/suggestions?
Thanks,
--Eddie
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Basil Kurian -
Chan Chung Hang Christopher -
Christopher Chan
-
Cliff -
cliff here
-
Dominik Zyla -
Thomas Dukes -
Timothy Murphy