Dear All, I have one centos box ( centos 4.0 ) which is connected to MSI wireless router....... And which is connected to my ISP MODEM. I incorporated wireless router so that I can use my laptop from any of my rooms. Now this Centos 4.0 box is my home server machine. The MSI Wireless Router has DHCP server enabled. Wireless router has provided each address to my machines basically internal IP address like 192.168.1.xx TO 192.168.1.xx. The wireless router has an external IP which can be reached at : http://84.255.28.48:8080. I configured DMZ settings in wireless router... Which basically is mapping my Centos Box internal IP ( 192.168.1.XX ) to public IP ( 84.255.28.48 ) Now the problem is the following: how will my centos machine listen to this public IP ? Do I have to set up firewall settings?> Ifconfig on centos gives me internal IP. I need to know what routing settings I need to do and where ? 1) I am not able to connect to my Centos Server BOX through Secure CRT 2) I am not able to connect to my Centos using FTP. Kind regards Vaneet -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Maciej Zenczykowski Sent: Friday, May 20, 2005 5:39 PM To: CentOS mailing list Subject: Re: [CentOS] Iptables - PREROUTING okay, first of all you shouldn't do it in a script, instead you should be modifying /etc/sysconfig/iptables and using /etc/init.d/iptables start/stop and add ip_nat_ftp to the proper spot (modules to load) in /etc/sysconfig/iptables-config next you need to rewrite the following for iptables-save/restore format *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] [spot for nat rules] COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] [spot for filter rules] COMMIT [in the filter rules:] -A INPUT -i lo -j ACCEPT # the following is _not_ nice -A INPUT -i eth0 -p ICMP --icmp-type echo-request -j DROP -A INPUT -i eth0 -s rango_ip/29 -d 0/0 -p all -j ACCEPT -A INPUT -i eth1 -s 172.16.0.0/24 -d 172.16.0.211/32 -p all -j ACCEPT [above in the nat spot] -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.16.0.3:80 -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 172.16.0.3:443 [again in the filter spot] -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 80 -j ACCEPT -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 443 -j ACCEPT -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 53 -j ACCEPT -A FORWARD -i eth1 -p udp -s 172.16.0.0/24 --dport 53 -j ACCEPT You _DO_ _NOT_ WANT TO ACCEPT everything from port 53 - I can break through this firewall in 5 seconds. -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT same here, plus squid doesn't use udp -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT the default should be to drop -A INPUT -j LOG --log-level info -A OUTPUT -j LOG --log-level info -A FORWARD -j LOG --log-level info [in nat again] -A POSTROUTING -s 172.16.0.6/32 -o eth0 -j MASQUERADE -A POSTROUTING -s 172.16.0.10/32 -o eth0 -j MASQUERADE -A POSTROUTING -s 172.16.0.9/32 -o eth0 -j MASQUERADE this should be in /etc/sysctl.conf > echo 1 > /proc/sys/net/ipv4/ip_forward do the above changes and repost with what you have and we'll go from there... Cheers, MaZe _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos Vaneet Sharma executive manager iDeasTank Limited an iwg business dolphins' court po 388 valletta, m-malta/europe mobile: +356 9943 8263 skype: CALLVANEET fax: +356 9952 8888 phone: +356 9942 8888 vaneet at iwg.info call me on www.skype.com - my ID is CALLVANEET Want a signature like this? - www.plaxo.com\signature iwg is a global e-mobile company creating, building and growing new businesses. iwg founders are pioneers in creating multi-billion dollar mobile and Internet businesses in Europe, Asia and the US. www.iWG.info www.countryprofiler.com/iWG www.visitmalta.com www.mfc.com.mt Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email.