Hi; Thanks... I solved this problem also... thank you Alain... Here is my iptables -L result... ********************************************************************************************************************** # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere 192.168.10.13 tcp dpt:ssh DROP tcp -- anywhere 192.168.10.13 tcp dpt:ncube-lm Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ********************************************************************************************************************** how can I change FORWARD policy to accepting only http, https? Thanks for all... sincerely yours... 2008/1/29, Alain Spineux <aspineux at gmail.com>: > > On Jan 28, 2008 8:45 AM, Tolun ARDAHANLI <tolun.ardahanli at linux.org.tr> > wrote: > > Hi guys; > > > > OK let me explain like this... > > > > We had a problem with our General network administration and our General > > network cant be managed so well(Cause of our IT manager is not so good > about > > administration on our network). that is why i thing that our > department's > > users must be separated from General LAN(Cause of our Generel LAN > effected > > to our working performance). After that we separated our users to > another > > subnet(192.168.1.xxx). > > > > Right now all of my departments member joined to our server(Centos5.1) > and > > all of them joins to internet over our server... We solved the problem > > together if you read all mails in this subject... > > > > I thing Only problem is that "our members must not to reach server's > > internet side ip(192.168.10.13)" am i right for that? > > 192.168.10.13 and 192.168.1.100 refer the same centos server! Right ? > Then this is the default behavior for a linux to answer requests on > one interface, > even if the request is for one address on another interface. > > > and > > other question is about "how can i stop the ssh service for the internet > > side ip(192.168.10.13)"? > > 2 possibilities > > using iptables to reject/drop any packet coming from eth1 (or eth0) > > iptables -t filter -A INPUT -p tcp -i eth1 --dport 22 -j DROP > > Or force sshd to bind only to the internal address, this is > ListenAddress in sshd config: man sshd_config for more > > Regards. > > > > > I am not a network engineer... I am just a software engineer... I am > trying > > to do our project on Linux systems... I cant focus so deeply on network > > administration... Only I can do your advise... not else... Cause I can't > > spent time for that(I want but I can't)..:( > > > > I hope that I explained it well...;)... > > > > thanks to all... > > > > sincerely yours... > > > > > > > > 2008/1/25, Alain Spineux <aspineux at gmail.com>: > > > > > On Jan 25, 2008 9:37 AM, Tolun ARDAHANLI <tolun.ardahanli at linux.org.tr > > > > wrote: > > > > Thank you for all really I solved the forward/ip sharing problem... > > > > > > > > But I see there is other problem with that like this; > > > > > > > > This is my network structure now; > > > > LAN(there are 3machines): > > > > start ip:192.168.1.10 > > > > end ip: 192.168.1.12 > > > > gateway address of users: 192.168.1.100 (my server's LAN side ip > > address) > > > > LAN side Server ip: 192.168.1.100 > > > > > > > > > > > > WAN(this ip comes from behind of swicth. the switch is behind of > > firewall > > > > and firewall is behind of router): > > > > WAN side Server ip: 192.168.10.13 > > > > gateway address of Server:192.168.10.1 > > > > > > > > And here is the problem i thing; > > > > The users from inside(LAN) can reach from server's WAN side > > > > ip(192.168.10.13) and they can ping it and they can take a services > > which is > > > > for LAN services(like ssh...etc). > > > > > > > > I agree that pinging from LAN to gateway address(192.168.10.1). But > I > > cant > > > > agree that pinging to server's WAN address(192.168.10.13). Do I > thing > > wrong > > > > at this point? and last question is about how can I close/stop > services > > for > > > > WAN side? > > > > > > I dont understant! > > > WHO is (OR CANNOT) pinging 192.168.10.13 or can (OR CANNOT) access the > > > service ? LAN or WAN ? > > > > > > > > > > > > > > thanks to all of you... > > > > > > > > sincerely yours... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 2008/1/24, Alain Spineux <aspineux at gmail.com>: > > > > > > > > > On Jan 24, 2008 5:42 AM, Alain Spineux <aspineux at gmail.com> wrote: > > > > > > On Jan 23, 2008 9:43 AM, Tolun ARDAHANLI > > <tolun.ardahanli at linux.org.tr> > > > > wrote: > > > > > > > Hi again to everyone; > > > > > > > > > > > > > > Guys your mails are very nice... i liked all of them... > > > > > > > > > > > > > > let me give you about my system and my need(sorry for writing > > these > > > > late)... > > > > > > > > > > > > > > I've got an IBM x3650 server which is open 7d/24h. It has got > 2 > > > > ethernet > > > > > > > card. I would like to connect my LAN to WAN over this > machine... > > > > > > > > > > > > > > LAN(there are 3machines): > > > > > > > start ip:192.168.10.10 > > > > > > > end ip: 192.168.10.12 > > > > > > > gateway address of users:192.168.10.13(my server's LAN side ip > > > > address) > > > > > > > LAN side Server ip: 192.168.10.13 > > > > > > > > > > > > > > WAN(this ip comes from behind of swicth. the switch is behind > of > > > > firewall > > > > > > > and firewall is behind of router): > > > > > > > WAN side Server ip: 10.10.1.223 > > > > > > > gateway address of Server:10.10.1.111 > > > > > > > > > > > > > > this is my network chances...:( i cant change them cause our > > company > > > > has > > > > > > > strong rules for these addresses... I want to share my WAN > side ip > > > > address > > > > > > > to my LAN side... > > > > > > > > > > > > > > How can I do that on my CENTos installed server? > > > > > > > > > > > > > > thanks a lot to everybody... > > > > > > > > > > > > The short way, supposing your wan is secure and your wan > interface > > is > > > > eth1: > > > > > > > > > > > > Disable any firewall rules on your centos, > > > > > > > > > > > > service iptables stop > > > > > > chkconfig iptables off > > > > > > > > > > > > try these commands, and if this is working put them in your > > > > /etc/init.d/rc.local > > > > > > > > > > > > # enable forwarding of packet between all interfaces > > > > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > > > > # config masquerading, any packet leaving eth1 will be > masqueraded, > > > > > > taking eth1 address for source address. > > > > > > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > > > > > > > > > > Another interesting way, is to setup only routing on your centos, > and > > > > > add (ask your network manager) the route > > > > > of your internal network (I guess 192.168.10.8/29 through > > > > > 192.168.10.13 ) on your firewall and maybe a similar one > > > > > on your router if the firewall is not doing NAT. > > > > > Then your firewall administrator can control the access to any of > your > > > > > internal machines or make some of them reachable > > > > > from outside if for example you want to have a web server or an > email > > > > > server (this is not a good idea, but you get the idea). > > > > > All of this without chnaging anything more on your centos router. > > > > > > > > > > To route packet only, without doing NAT (aka MASQUERADING or > > HIDE-NAT) > > > > > just use > > > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > > > > > > > > Regards > > > > > > > > > > > > Regards. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 2008/1/22, Dennis McLeod <dmcleod at foranyauto.com >: > > > > > > > > > > > > > > > I have an IPcop box setup at work. Using squidguard to keep > > > > customers from > > > > > > > > surfing porn while they are in our waiting room. (On a > > completely > > > > separate > > > > > > > > DSL connection..) > > > > > > > > > > > > > > > > I have an Astaro Security Gateway setup at home (on a Dell > p3 > > > > precision > > > > > > > > 220). Free home license, do FAR more than your typical > broadband > > > > router. > > > > > > > Not > > > > > > > > a small learning curve, though. Wireless is through a D-link > > > > DWL-7100(I > > > > > > > > think) access point in the attic. > > > > > > > > I have a Linksys wrt54g (original version) with openWRT, but > > it's > > > > just > > > > > > > there > > > > > > > > for backup..... > > > > > > > > > > > > > > > > Any of the above will accomplish your goal... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: centos-bounces at centos.org [mailto: > > centos-bounces at centos.org] > > > > On > > > > > > > Behalf > > > > > > > > Of Alain Spineux > > > > > > > > Sent: Tuesday, January 22, 2008 6:52 AM > > > > > > > > To: CentOS mailing list > > > > > > > > Subject: Re: [CentOS] How can i share my WAN ip to my LAN? > > > > > > > > > > > > > > > > On Jan 22, 2008 3:17 PM, William L. Maltby < > > > > CentOS4Bill at triad.rr.com> > > > > > > > wrote: > > > > > > > > > On Tue, 2008-01-22 at 14:49 +0100, Alain Spineux wrote: > > > > > > > > > > On Jan 22, 2008 8:46 AM, Tolun ARDAHANLI < > > > > > > > tolun.ardahanli at linux.org.tr> > > > > > > > > wrote: > > > > > > > > > > > Hi everybody... > > > > > > > > > > > > > > > > > > > > > > How can I share my WAN ip to my LAN? How can I do that > I > > > > really > > > > > > > > > > > dont know...:( I am using linux long time ago but this > > kind I > > > > > > > > > > > would like to do newly... > > > > > > > > > > > > > > > > > > > > Buy a small router/modem, ask your ISP for suggestions. > > > > > > > > > > This is cheap (<100$), no need to keep your computer > always > > > > turned > > > > > > > > > > on, very easy to configure if you nead more features > (port > > > > > > > > > > forwarding for skype, games, p2p, ....), have some > builtint > > > > feature > > > > > > > > > > (dhcp, DNS proxy). Also think about wireless ...... > > > > > > > > > > This is probably more secure, not because centos/linux > is > > not, > > > > but > > > > > > > > > > because you dont know what you are doing. > > > > > > > > > > > > > > > > > > > > Of course this is less fun > > > > > > > > > > > > > > > > > > Well, I wasn't going to suggest, but since the topic of > > > > alternatives > > > > > > > > > is open... > > > > > > > > > > > > > > > > :-) > > > > > > > > > > > > > > > > Of course the main idea is to avoid to have a non firewall > > dedicated > > > > linux > > > > > > > > (like centos is) configured by someone without to much > network > > > > knowledge > > > > > > > be > > > > > > > > in front of Internet. > > > > > > > > > > > > > > > > > > > > > > > > > > If you have an older available computer laying around, > check > > out > > > > IPCop > > > > > > > > > > > > > > > > > > http://www.ipcop.org/ > > > > > > > > > > > > > > > > > > free, has lots of features, runs reliably, I've been on it > for > > > > years, > > > > > > > > > as have others on this list. Biggest gripe I have is docs > > could be > > > > a > > > > > > > > > little better - they tend to not get updated to stay up > with > > the > > > > > > > software. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Regards. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Can anybody help me about IP sharing in Centos? > > > > > > > > > > > > > > > > > > > > > > thanks alot... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > Tolun ARDAHANLI > > > > > > > > > > > Bilgisayar Muhendisi > > > > > > > > > > > E-posta: tolun.ardahanli at linux.org.tr > > > > > > > > > > > Icq:326600 > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------ > > > > > > > > > > > ---------- > > > > > > > > > > > > > > > > > > > > > > Tolun ARDAHANLI > > > > > > > > > > > Computer Engineer > > > > > > > > > > > E-mail:tolun.ardahanli at linux.org.tr > > > > > > > > > > > Icq:326600 > > > > > > > > > > ><snip sig stuff> > > > > > > > > > > > > > > > > > > HTH > > > > > > > > > -- > > > > > > > > > Bill > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > CentOS mailing list > > > > > > > > > CentOS at centos.org > > > > > > > > > http://lists.centos.org/mailman/listinfo/centos > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Alain Spineux > > > > > > > > aspineux gmail com > > > > > > > > May the sources be with you > > > > > > > > _______________________________________________ > > > > > > > > CentOS mailing list > > > > > > > > CentOS at centos.org > > > > > > > > http://lists.centos.org/mailman/listinfo/centos > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > CentOS mailing list > > > > > > > > CentOS at centos.org > > > > > > > > http://lists.centos.org/mailman/listinfo/centos > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > > Tolun ARDAHANLI > > > > > > > Bilgisayar Muhendisi > > > > > > > E-posta:tolun.ardahanli at linux.org.tr > > > > > > > Icq:326600 > > > > > > > > > > > > > > > > > > > > > ---------------------------------------------------------------------------- > > > > > > > > > > > > > > Tolun ARDAHANLI > > > > > > > Computer Engineer > > > > > > > E-mail:tolun.ardahanli at linux.org.tr > > > > > > > Icq:326600 > > > > > > > _______________________________________________ > > > > > > > CentOS mailing list > > > > > > > CentOS at centos.org > > > > > > > http://lists.centos.org/mailman/listinfo/centos > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Alain Spineux > > > > > > aspineux gmail com > > > > > > May the sources be with you > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Alain Spineux > > > > > aspineux gmail com > > > > > May the sources be with you > > > > > _______________________________________________ > > > > > CentOS mailing list > > > > > CentOS at centos.org > > > > > http://lists.centos.org/mailman/listinfo/centos > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Tolun ARDAHANLI > > > > Bilgisayar Muhendisi > > > > E-posta:tolun.ardahanli at linux.org.tr > > > > Icq:326600 > > > > > > > > > > > ---------------------------------------------------------------------------- > > > > > > > > Tolun ARDAHANLI > > > > Computer Engineer > > > > E-mail:tolun.ardahanli at linux.org.tr > > > > Icq:326600 > > > > _______________________________________________ > > > > CentOS mailing list > > > > CentOS at centos.org > > > > http://lists.centos.org/mailman/listinfo/centos > > > > > > > > > > > > > > > > > > > > -- > > > Alain Spineux > > > aspineux gmail com > > > May the sources be with you > > > _______________________________________________ > > > CentOS mailing list > > > CentOS at centos.org > > > http://lists.centos.org/mailman/listinfo/centos > > > > > > > > > > > > > -- > > Tolun ARDAHANLI > > Bilgisayar Muhendisi > > E-posta:tolun.ardahanli at linux.org.tr > > Icq:326600 > > > > > ---------------------------------------------------------------------------- > > > > Tolun ARDAHANLI > > Computer Engineer > > E-mail:tolun.ardahanli at linux.org.tr > > Icq:326600 > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > > > > > > -- > Alain Spineux > aspineux gmail com > May the sources be with you > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Tolun ARDAHANLI Bilgisayar Muhendisi E-posta:tolun.ardahanli at linux.org.tr Icq:326600 ---------------------------------------------------------------------------- Tolun ARDAHANLI Computer Engineer E-mail:tolun.ardahanli at linux.org.tr Icq:326600 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20080130/9088b5b4/attachment-0005.html>