[CentOS] RE: Wireless Networking

Mon May 23 07:09:49 UTC 2005
Vaneet Sharma <vaneet at iwg.info>

Dear All,

I have one centos box ( centos 4.0 ) which is connected to MSI wireless
router....... And which is connected to my ISP MODEM. 
I incorporated wireless router so that I can use my laptop from any of
my rooms.

Now this Centos 4.0 box is my home server machine.

The MSI Wireless Router has DHCP server enabled.  Wireless router has
provided each address to my machines basically internal IP address like
192.168.1.xx  TO  192.168.1.xx. The wireless router has an external IP
which can be reached at : http://84.255.28.48:8080. I configured DMZ
settings in wireless router...
Which basically is mapping my Centos Box internal IP ( 192.168.1.XX ) to
public IP ( 84.255.28.48 )

Now the problem is the following:

how will my centos machine listen to this public IP ? Do I have to set
up firewall settings?> Ifconfig on centos gives me internal IP.
I need to know what routing settings I need to do and where ? 

1) I am not able to connect to my Centos Server BOX through Secure CRT
2) I am not able to connect to my Centos using FTP.

Kind regards
Vaneet


-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf Of Maciej Zenczykowski
Sent: Friday, May 20, 2005 5:39 PM
To: CentOS mailing list
Subject: Re: [CentOS] Iptables - PREROUTING


okay, first of all you shouldn't do it in a script,
instead you should be modifying /etc/sysconfig/iptables
and using /etc/init.d/iptables start/stop

and add ip_nat_ftp to the proper spot (modules to load) in 
/etc/sysconfig/iptables-config

next you need to rewrite the following for iptables-save/restore format

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

[spot for nat rules]

COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

[spot for filter rules]

COMMIT


[in the filter rules:]
-A INPUT -i lo -j ACCEPT

# the following is _not_ nice
-A INPUT -i eth0 -p ICMP --icmp-type echo-request -j DROP

-A INPUT -i eth0 -s rango_ip/29 -d 0/0 -p all -j ACCEPT
-A INPUT -i eth1 -s 172.16.0.0/24 -d 172.16.0.211/32 -p all -j ACCEPT


[above in the nat spot]
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.16.0.3:80 -A
PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 172.16.0.3:443


[again in the filter spot]
-A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 80 -j ACCEPT -A
FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 443 -j ACCEPT

-A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 53 -j ACCEPT -A
FORWARD -i eth1 -p udp -s 172.16.0.0/24 --dport 53 -j ACCEPT

You _DO_ _NOT_ WANT TO ACCEPT everything from port 53 - I can break 
through this firewall in 5 seconds.
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT

same here, plus squid doesn't use udp
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT

the default should be to drop

-A INPUT -j LOG --log-level info
-A OUTPUT -j LOG --log-level info
-A FORWARD -j LOG --log-level info

[in nat again]
-A POSTROUTING -s 172.16.0.6/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.10/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.9/32 -o eth0 -j MASQUERADE


this should be in /etc/sysctl.conf
> echo 1 > /proc/sys/net/ipv4/ip_forward

do the above changes and repost with what you have and we'll go from 
there...

Cheers,
MaZe
_______________________________________________
CentOS mailing list
CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos


Vaneet Sharma
executive manager	
iDeasTank Limited	
an iwg business
dolphins' court po 388
valletta, m-malta/europe
mobile:	 +356 9943 8263
skype:  CALLVANEET
fax:	 +356 9952 8888
phone:	 +356 9942 8888

vaneet at iwg.info
call me on www.skype.com - my ID is CALLVANEET

Want a signature like this? - www.plaxo.com\signature

iwg is a global e-mobile company creating, building and growing new businesses.  iwg founders are pioneers in creating multi-billion dollar mobile and Internet businesses in Europe, Asia and the US.

www.iWG.info
www.countryprofiler.com/iWG
www.visitmalta.com
www.mfc.com.mt


Privileged/Confidential Information may be contained in this message.  If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email.