Hi,
I'm using system-config-firewall (C6 x86_64, fully up to date) to configure a gateway/firewall box. 2 nics, eth0 (configured as bridge0, mtu 7200) connected to the lan, eth1 being connected directly to the internet (public ip, mtu 1500). ssh port is open and accessible. nat is working fine. I've put bridge0 as a trusted interface, eth1 is masqueraded. I've put ports 20,21,80 as forwarded ports on eth1 to lan machines. Thing is nmap (and classical ways to access these protocols) say it's closed. I've tried to make 20,21,80 open and forwarded, to no avail.
Could someone give me a hand ?
Thanks, Laurent.
Can you fpaste your firewall rules? I would omit the actual public IP's for security sake.
On Tue, Dec 13, 2011 at 8:53 AM, Laurent Wandrebeck l.wandrebeck@gmail.comwrote:
Hi,
I'm using system-config-firewall (C6 x86_64, fully up to date) to configure a gateway/firewall box. 2 nics, eth0 (configured as bridge0, mtu 7200) connected to the lan, eth1 being connected directly to the internet (public ip, mtu 1500). ssh port is open and accessible. nat is working fine. I've put bridge0 as a trusted interface, eth1 is masqueraded. I've put ports 20,21,80 as forwarded ports on eth1 to lan machines. Thing is nmap (and classical ways to access these protocols) say it's closed. I've tried to make 20,21,80 open and forwarded, to no avail.
Could someone give me a hand ?
Thanks, Laurent. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, 13 Dec 2011 09:44:11 -0500 cliff here c4ifford@gmail.com wrote:
Can you fpaste your firewall rules? I would omit the actual public IP's for security sake.
http://fpaste.org/wE0L/ If you need anything else, ask :) Thanks, Laurent.
actually if you could cat /etc/sysconfig/iptables, i find it easier to read. also try this to troubleshoot
watch n 1 'iptables -t nat -L -n -v'
it will show you the when a packet hits a rule I find it very helpful when troubleshooting.
But if not mistake about what your intent is your forwarding rules that you have in prerouting should be in INPUT chain. You're trying to come in from an outside net to your FW and be forwarded to what you have NAT'd behind it right?
On Tue, Dec 13, 2011 at 9:56 AM, Laurent Wandrebeck l.wandrebeck@gmail.comwrote:
On Tue, 13 Dec 2011 09:44:11 -0500 cliff here c4ifford@gmail.com wrote:
Can you fpaste your firewall rules? I would omit the actual public IP's
for
security sake.
http://fpaste.org/wE0L/ If you need anything else, ask :) Thanks, Laurent.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
sorry that's watch -n 1 'iptables -t nat -L -n -v'
On Tue, Dec 13, 2011 at 10:04 AM, cliff here c4ifford@gmail.com wrote:
actually if you could cat /etc/sysconfig/iptables, i find it easier to read. also try this to troubleshoot
watch n 1 'iptables -t nat -L -n -v'
it will show you the when a packet hits a rule I find it very helpful when troubleshooting.
But if not mistake about what your intent is your forwarding rules that you have in prerouting should be in INPUT chain. You're trying to come in from an outside net to your FW and be forwarded to what you have NAT'd behind it right?
On Tue, Dec 13, 2011 at 9:56 AM, Laurent Wandrebeck < l.wandrebeck@gmail.com> wrote:
On Tue, 13 Dec 2011 09:44:11 -0500 cliff here c4ifford@gmail.com wrote:
Can you fpaste your firewall rules? I would omit the actual public IP's
for
security sake.
http://fpaste.org/wE0L/ If you need anything else, ask :) Thanks, Laurent.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
--
NOTICE: This message, including all attachments, is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering this message to its intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying "Received in error" and immediately delete this message and all its attachments.
On Tue, 13 Dec 2011 10:07:41 -0500 cliff here c4ifford@gmail.com wrote:
sorry that's watch -n 1 'iptables -t nat -L -n -v'
<snip>
But if not mistake about what your intent is your forwarding rules that you have in prerouting should be in INPUT chain. You're trying to come in from an outside net to your FW and be forwarded to what you have NAT'd behind it right?
absolutely. I've updated fpaste with /etc/sysconfig/iptables Thanks.
My best guess would be to move your forwarding rules to the INPUT chain instead of being in the PREROUTING.
On Tue, Dec 13, 2011 at 10:16 AM, Laurent Wandrebeck <l.wandrebeck@gmail.com
wrote:
On Tue, 13 Dec 2011 10:07:41 -0500 cliff here c4ifford@gmail.com wrote:
sorry that's watch -n 1 'iptables -t nat -L -n -v'
<snip> > > But if not mistake about what your intent is your forwarding rules that > > you have in prerouting should be in INPUT chain. > > You're trying to come in from an outside net to your FW and be forwarded > > to what you have NAT'd behind it right? absolutely. I've updated fpaste with /etc/sysconfig/iptables Thanks. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, 13 Dec 2011 10:23:45 -0500 cliff here c4ifford@gmail.com wrote:
My best guess would be to move your forwarding rules to the INPUT chain instead of being in the PREROUTING.
Will try that once I figure out iptables syntax. Is it me or I hit a system-config-firewall bug in rules generation ? Laurent.
Laurent Wandrebeck wrote:
On Tue, 13 Dec 2011 10:23:45 -0500 cliff here c4ifford@gmail.com wrote:
My best guess would be to move your forwarding rules to the INPUT chain instead of being in the PREROUTING.
Will try that once I figure out iptables syntax. Is it me or I hit a system-config-firewall bug in rules generation ?
These days, I either edit /etc/sysconfig/iptables or iptables-save > iptables. Take one, clone it, edit the line. -s source, -d destination, -p protocol covers most of it, along with -j ACCEPT or -j DROP.
mark
Here's a really good overview of how the iptables process works
http://fedoraunity.org/Members/kanarip/iptables-howto
On Tue, Dec 13, 2011 at 10:53 AM, m.roth@5-cent.us wrote:
Laurent Wandrebeck wrote:
On Tue, 13 Dec 2011 10:23:45 -0500 cliff here c4ifford@gmail.com wrote:
My best guess would be to move your forwarding rules to the INPUT chain instead of being in the PREROUTING.
Will try that once I figure out iptables syntax. Is it me or I hit a system-config-firewall bug in rules generation ?
These days, I either edit /etc/sysconfig/iptables or iptables-save > iptables. Take one, clone it, edit the line. -s source, -d destination, -p protocol covers most of it, along with -j ACCEPT or -j DROP.
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Also to note, if you edit your /etc/sysconfig/iptables file manually there is a line in /etc/init.d./iptables at line number 300 that will save on service iptables restart; meaning if you run that command the buffer will save over the file and basically revert any changes you just made to the file.
On Tue, Dec 13, 2011 at 11:05 AM, cliff here c4ifford@gmail.com wrote:
Here's a really good overview of how the iptables process works
http://fedoraunity.org/Members/kanarip/iptables-howto
On Tue, Dec 13, 2011 at 10:53 AM, m.roth@5-cent.us wrote:
Laurent Wandrebeck wrote:
On Tue, 13 Dec 2011 10:23:45 -0500 cliff here c4ifford@gmail.com wrote:
My best guess would be to move your forwarding rules to the INPUT chain instead of being in the PREROUTING.
Will try that once I figure out iptables syntax. Is it me or I hit a system-config-firewall bug in rules generation ?
These days, I either edit /etc/sysconfig/iptables or iptables-save > iptables. Take one, clone it, edit the line. -s source, -d destination, -p protocol covers most of it, along with -j ACCEPT or -j DROP.
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
--
NOTICE: This message, including all attachments, is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering this message to its intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying "Received in error" and immediately delete this message and all its attachments.
On Tue, 13 Dec 2011, cliff here wrote:
Also to note, if you edit your /etc/sysconfig/iptables file manually there is a line in /etc/init.d./iptables at line number 300 that will save on service iptables restart; meaning if you run that command the buffer will save over the file and basically revert any changes you just made to the file.
Well, it's line 300 on CentOS 5, not on CentOS 6.
If you mean that having "IPTABLES_SAVE_ON_STOP=yes" set means it saves on restart, well yes. But that's not the default, so you've changed your setup to do that as far as I'm aware.
jh
@John, yea good catch thanks =)
On Tue, Dec 13, 2011 at 11:59 AM, John Hodrien J.H.Hodrien@leeds.ac.ukwrote:
On Tue, 13 Dec 2011, cliff here wrote:
Also to note, if you edit your /etc/sysconfig/iptables file manually
there
is a line in /etc/init.d./iptables at line number 300 that will save on service iptables restart; meaning if you run that command the buffer will save over the file and basically revert any changes you just made to the file.
Well, it's line 300 on CentOS 5, not on CentOS 6.
If you mean that having "IPTABLES_SAVE_ON_STOP=yes" set means it saves on restart, well yes. But that's not the default, so you've changed your setup to do that as far as I'm aware.
jh _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi,
Just for the head's up, iptables rules created by system-config are fine, I was just hitting a default route problem due to the fact another fw is already in prod with another ip address. The one I'm configuring is aimed to replace the one already running. Now, I'm just fighting with rules for voip (sip/h323) phones.
Thanks for your help, Laurent.
-
cliff here -
John Hodrien -
Laurent Wandrebeck -
m.roth@5-cent.us