[CentOS] Centos firewall/router issue

Thu Feb 22 21:50:13 UTC 2007
Dustin Krysak <d.k.emaillists at gmail.com>

Hey everyone, Thanks for hte suggestions. It did turn out to be my
rules. I had used one of fwbuilders templates, and it was killing my
outbound. I had actually taken one of my previous baremetals fwbuilder
files that was known to work on another firewall, and used that one as
a basis, and it was good to go. I had a few other oddities as well,
that i suspect are unique to my machine for some reason... when
running fwbuilder through a ssh session, the script did not install
right. When I rean the same one from the FW itself, it installed
properly, and all was ok.

So my basic issue is resolved, with a few that are non centos related.

Thanks again!



On 2/22/07, John R Pierce <pierce at hogranch.com> wrote:
> Dustin Krysak wrote:
> > Good day everyone. Today has been "one of those..." days. So I have a
> > feeling this is just a brain lapse here.
> >
> > At any rate, I am setting up a firewall/router using centos 4.4
> > (minimal install, yummed up to date).
> >
> > I have in fact enables V4 ip forwarding (by editing /etc/sysctl.conf)
> > and rebooted the system. I use fwbuilder for my rules, and at this
> > point have a next to nothing set of rules. a DHCP server is also
> > residing on this router.
> > ...
> > Now the issue is, I can not get out of the internal network to the
> > internet for any traffic. Pings (by ip and name), web sites, etc.
>
>
> sounds like you're trying to do a 'NAT' (network address translation)
> network, where you're local network is on private IP space (192.168.x.y
> or 10.x.x.x or whatever), and you're sharing a single public IP.   this
> requires several very specific and moderately complex rules to implement
> what Linux calls 'MASQUERADE', and you need to load the ip_conntrack
> module into the kernel, and probably a few more.
>
>
> at a BARE minimum, you need some variant on these two rules...
>
>    iptables --table nat --append POSTROUTING --out-interface $WAN -j MASQUERADE
>    iptables --append FORWARD --in-interface $LAN -j ACCEPT
>
>
> (where $WAN, $LAN are eth0, eth1, or whatever your internet and local
> interfaces are)
>
>
> if you google for: LINUX MASQUERADE, you'll find all sorts of confusing
> info on this :)
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>