I am trying to setup some rules on a box with 3 nic cards. Two internet connections and one office connection.
eth0 is office eth1 is internet T1 eth2 is internet Cable
when I do "iptables -F" then iptables -L everything is gone as it should be.
Then I do iptables -t nat -A PREROUTING -p tcp -d $MYIP --dport 6550 -j DNAT --to $INTERNAL_ADDRESS:6550 iptables -t nat -A POSTROUTING -d $INTERNAL_ADDRESS -j SNAT --to $GWIP
then I do iptables -L again and the rule is not there. Am I missing something? I have tried -I and -A both.
Thanks,
Jerry
On 8 May 2010 14:12, Jerry Geis geisj@pagestation.com wrote:
then I do iptables -L again and the rule is not there. Am I missing something?
Try iptables -t nat -L, though you may want to use the -n option too.
From the iptables manpage[1]:
"-L, --list [chain] List all rules in the selected chain. If no chain is selected, all chains are listed. As every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by iptables -t nat -n -L
Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. The exact rules are suppressed until you use iptables -L -v"
Ben
Thanks for the "-t nat" suggetion.
How does someone debug iptables? Seems like the local eth0 is working , eth2 is working but connections on eth1 dont seem to go anywhere. How can I tell what is happening for eth1 and iptables?
Thanks,
Jerry
On Saturday 08 May 2010 14:46, Jerry Geis wrote:
How does someone debug iptables? Seems like the local eth0 is working , eth2 is working but connections on eth1 dont seem to go anywhere. How can I tell what is happening for eth1 and iptables?
Maybe its your routing? Post both the firewall rules and your routing table.
On Sat, May 08, 2010 at 02:46:17PM -0400, Jerry Geis wrote:
Thanks for the "-t nat" suggetion.
How does someone debug iptables? Seems like the local eth0 is working , eth2 is working but connections on eth1 dont seem to go anywhere. How can I tell what is happening for eth1 and iptables?
Use iproute2 with fwmark rules. Then mix it with iptables `-j MARK' or use `-j ROUTE' instead of fwmark and `-j MARK'.
I have a centos box with 3 nics. eth0 is internal, eth1 is T1 data and eth2 is cable data. Everything is working on eth2 cable. External NAT is working just fine for eth2. However external address 74.x.x.x on eth1 is not working.
Below is my iptables information.
I setup eth1 same as eth2 just a different IP address of course. What did I miss that eth1 and NAT is not working?
Just looking for both public IP's incoming to NAT to the correct IP address. Only 1 is working at this time.
Thanks,
Jerry
---------------
Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:22 to:192.168.1.209:22 DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:25 to:192.168.1.209:25 DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:80 to:192.168.1.209:80 DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:22 to:192.168.1.58:22 DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:25 to:192.168.1.58:25 DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:80 to:192.168.1.58:80
Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.1.0/24 0.0.0.0/0 to:24.123.23.170 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
Chain OUTPUT (policy ACCEPT) target prot opt source destination Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2
On Mon, May 10, 2010 at 06:10:02PM -0400, Jerry Geis wrote:
I have a centos box with 3 nics. eth0 is internal, eth1 is T1 data and eth2 is cable data. Everything is working on eth2 cable. External NAT is working just fine for eth2. However external address 74.x.x.x on eth1 is not working.
Below is my iptables information.
I setup eth1 same as eth2 just a different IP address of course. What did I miss that eth1 and NAT is not working?
Just looking for both public IP's incoming to NAT to the correct IP address. Only 1 is working at this time.
Thanks,
Jerry
Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:22 to:192.168.1.209:22 DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:25 to:192.168.1.209:25 DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:80 to:192.168.1.209:80 DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:22 to:192.168.1.58:22 DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:25 to:192.168.1.58:25 DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:80 to:192.168.1.58:80
Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.1.0/24 0.0.0.0/0 to:24.123.23.170 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1 SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
Chain OUTPUT (policy ACCEPT) target prot opt source destination Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2
You need to make source routing on 74.223.8.176 and eth1. Please, read this: http://linux-ip.net/html/adv-multi-internet.html
You need to make source routing on 74.223.8.176 and eth1. Please, read this: http://linux-ip.net/html/adv-multi-internet.html
-- Dominik Zyla
I read through the document. I dont see what I have done wrong still.
Do my routing rules not look correct from my previous post?
Sorry I am not catching on. Thanks for your assistance.
Jerry
On Tue, May 11, 2010 at 09:24:53AM -0400, Jerry Geis wrote:
You need to make source routing on 74.223.8.176 and eth1. Please, read this: http://linux-ip.net/html/adv-multi-internet.html
-- Dominik Zyla
I read through the document. I dont see what I have done wrong still.
Do my routing rules not look correct from my previous post?
Sorry I am not catching on. Thanks for your assistance.
Try to add iproute2 rules for eth1. You only paste iptables rules.
Dominik Zyla wrote:
-- Dominik Zyla
I read through the document. I dont see what I have done wrong still.
Do my routing rules not look correct from my previous post?
Sorry I am not catching on. Thanks for your assistance.
Try to add iproute2 rules for eth1. You only paste iptables rules.
Hi
I saw this document yesterday and maybe helpful: http://www.shorewall.net/three-interface.htm
You can install shorewall from EPEL repo.
Regards
mg.
-
Benjamin Donnachie -
Dominik Zyla -
Jerry Geis -
Marcelo M. Garcia -
Robert Spangler